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Foreword 



This volume contains a selection of papers presented at the International Confer- 
ence on Analytic Tableaux and Related Methods (TABLEAUX’99) held on June 
7-11, 1999 at the Inn at Saratoga, Saratoga Springs, NY, USA. This conference 
was the continuation of international meetings on Theorem Proving with Ana- 
lytic Tableaux and Related Methods held in Lautenbach near Karlsruhe (1992), 
Marseille (1993), Abingdon near Oxford (1994), St. Goar near Koblenz (1995), 
Terrasini near Palermo (1996), Pont-a-Mousson near Nancy (1997), and Oister- 
wijk near Tilburg (1998). TABLEAUX’99 marks the first time the conference 
has been held in North America. 

Tableau and related methods have been found to be convenient and effective 
for automating deduction in various non-standard logics as well as in classical 
logic. Examples taken from this meeting alone include temporal, description, 
tense, quantum, modal, projective, hybrid, intuit ionistic, and linear logics. Ar- 
eas of application include verification of software and computer systems, deduc- 
tive databases, knowledge representation and its required inference engines, and 
system diagnosis. The conference brought together researchers interested in all 
aspects - theoretical foundations, implementation techniques, systems develop- 
ment and applications - of the mechanization of reasoning with tableaux and 
related methods. 

The members of the program committee worked diligently in selecting the 
presented papers. Each research paper was given a formal evaluation by three 
referees - to whom we are indeed grateful. Erom the 41 submissions received, 18 
original research papers and 3 original system descriptions were chosen by the 
program committee for presentation at the conference and for inclusion in these 
proceedings, together with the invited lectures. Also included are the abstracts 
of 2 tutorials, a summary of the non classical systems comparison conducted 
for TABLEAUX’99, descriptions of the comparison entries, and the titles and 
authors of position papers, which were also presented at the conference. 

Acknowledgements Eirst, I would like to thank the local arrangements 
chair, Joan Nellhaus, who helped with virtually all aspects of organizing the 
conference. I also thank Eabio Massacci, who organized the comparison. Ron 
Goebel put much time and effort into installing the web software that facilitated 
secure discussions amongst program committee members. 

I also thank the authors of all submissions, the speakers, the tutorial orga- 
nizers, the comparison entrants, program committee members, and, last but not 
least, the sponsors, who made it possible to organize this conference in Sartoga 
Springs, NY. 



March 1999 



Neil V. Murray 
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with Uninterpreted Functions* 



Randal E. Bryant^, Steven German^, and Miroslav N. Velev^ 

^ Computer Science, Carnegie Mellon University, Pittsburgh, PA 
Randy . Bryant @cs . emu . edu 
^ IBM Watson Research Center, Yorktown Hts., NY 
german@watson . ibm . com 

^ Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 
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Abstract. Modern processors have relatively simple specifications based on their 
instruction set architectures. Their implementations, however, are very complex, 
especially with the advent of performance-enhancing techniques such as pipelin- 
ing, superscalar operation, and speculative execution. Eormal techniques to ver- 
ify that a processor implements its instruction set specification could yield more 
reliable results at a lower cost than the current simulation-based verification tech- 
niques used in industry. 

The logic of equality with uninterpreted functions (EUE) provides a means of 
abstracting the manipulation of data by a processor when verifying the correct- 
ness of its control logic. Using a method devised by Burch and Dill [BD94], the 
correctness of a processor can be inferred by deciding the validity of a formula 
in EUE describing the comparative effect of running one clock cycle of processor 
operation to that of executing a small number (based on the processor issue rate) 
of machine instructions. 

This paper describes recent advances in reducing formulas in EUE to proposi- 
tional logic. We can then use either Binary Decision Diagrams (BDDs) or sat- 
isfiability procedures to determine whether this propositional formula is a tau- 
tology. We can exploit characteristics of the formulas generated when modeling 
processors to significantly reduce the number of propositional variables, and con- 
sequently the complexity, of the verification task. 



1 Introduction 

Microprocessors are among the most complex electronic systems created today. High 
performance processors require millions of transistors and employ exotic techniques 
such as pipelining, multiple instruction issue, branch prediction, speculative and/or out- 
of-order execution, register renaming, and many forms of caching [HP96]. When cor- 
rectly implemented, these implementation artifacts should be invisible to the user. The 

This research was supported at Carnegie Mellon University by SRC Contract 98-DC-068 and 
by grants from Eujitsu, Motorola, and Intel. 
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processor should produce the same results as if it had executed the machine code in 
strict, sequential order. 

Design errors can often lead to violations of the sequential semantics. For example, 
an update to a register or memory location by one instruction may not be detected by an 
instruction following too closely in the pipeline. An instruction following a conditional 
branch may be executed prematurely, modifying a register even though the processor 
later determines that the branch is taken. Such hazard possibilities increase dramatically 
as the instruction pipelines increase in both depth and width. 

Historically, microprocessor designs have been validated by extensive simulation. 
Instruction sequences are executed, in simulation, on two different models: a high-level 
model describing the desired effect of each instruction and a low-level model capturing 
the detailed pipeline structure. The results from these simulations are then compared 
for discrepancies. The instruction sequences may be taken from actual programs or 
synthetically generated to exercise different aspects of the pipeline structure [KN96]. 

Validation by simulation becomes increasingly costly and unreliable as processors 
increase in complexity. The number of tests required to cover all possible pipeline in- 
teractions becomes overwhelming. Furthermore, simulation test generators suffer from 
a fundamental limitation due to their use of information about the pipeline structure in 
determining the possible interactions in an instruction sequence that need to be simu- 
lated. A single conceptual design error can yield both an improperly-designed pipeline 
and a failure to test for a particular instruction combination. 

As an alternative to simulation, a number of researchers have investigated using for- 
mal verification techniques to prove that a pipelined processor preserves the semantics 
of the instruction set model. Formal verification has the advantage that it demonstrates 
correct execution for all possible instruction sequences. Given the large amount of re- 
sources currently spent simulating processors, formal verification tools hold the promise 
of producing more reliable results at a lower cost. 

Most of the complexity in modern processors comes from their control logic. The 
processing of data is localized to a few subsystems such as the arithmetic logic unit and 
the floating point unit. These can be formally verified separately. We can therefore cre- 
ate an abstract model of the processor that captures the complexities of the control logic 
while ignoring the details of the data processing. We view program data and addresses 
as symbolic “terms” having no specified mathematical properties other than the ability 
to compare two values for equality. We abstract the functionality of data processing 
blocks as uninterpreted functions , with no specified properties other than “functional 
consistency,” i.e., that applications of a function to equal arguments yield equal results: 
x = y^ f{x) = f{y). 

Earlier work on formal verification of processors requires detailed analysis of the 
pipelined structure, e.g., using automated theorem pro vers [SB90]. Our interest is in 
developing automated techniques that apply powerful symbolic evaluation techniques to 
analyze the behavior of the processor over all possible operating conditions. We believe 
that high degrees of automation are essential to gaining acceptance by chip designers. 

Burch and Dill [BD94] were the first to demonstrate that automated decision proce- 
dures for a logic of equality with uninterpreted functions (EUF) could be used to verify 
pipelined processors. They assume there are two abstract models of the processor — 
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a “program” model providing a direct implementation of the instruction set, and a 
“pipeline” model that captures the complexities of the actual implementation. Veri- 
fying that the pipelined processor has behavior matching that of the program model 
can be performed by constructing a formula in EUF that compares for equality the 
terms describing the modifications to the programmer- visible state (i.e., the registers, 
data memory, and program counter) produced by the two models and then proving the 
validity of this formula. 

In their 1994 paper, Burch and Dill also described the implementation of a deci- 
sion procedure for this logic based on theorem proving search methods. Their proce- 
dure builds on ones originally described by Shostak [Sho79] and by Nelson and Oppen 
[NO80], using combinatorial search coupled with algorithms for maintaining a parti- 
tioning of the terms into equivalence classes based on the equalities that hold at a given 
step of the search. More details of their decision procedure are given in [BDL96]. 

This paper describes some of our recent results in reducing formulas in EUF to 
propositional logic in the context of verifying pipelined processors. We show that char- 
acteristics of the formulas generated can be exploited to significantly reduce the number 
of propositional variables and consequently the complexity of proving that the formula 
is a tautology. By reducing the validity condition to propositional logic, we can apply 
powerful Boolean methods such as Binary Decision Diagrams (BDDs) [Bry86] as well 
as highly-optimized satisfiability checkers. By this approach we have achieved much 
better performance than more classical decision procedures for formulas with uninter- 
preted functions. More of the technical details are presented in [BGV99b,BGV99a]. 

2 Verification Methodology 




Fig. 1. Correctness criterion for verifying that pipelined processor “pipe” preserves the 
sequential semantics of the machine-level language program “prog”. 



Our task is to verify that a processor will execute all possible instruction sequences 
properly. Since there is an infinite number of possible sequences, this condition can- 
not be proved directly. Instead, we show that each possible individual instruction will 
be executed correctly, regardless of the preceding and following instruction sequences. 
The correct execution of a complete sequence then follows by induction on its length. 
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One approach to proving the correctness of individual instructions is based on prov- 
ing the invariance of an abstraction function between processor and program states by 
each instruction execution. A similar method was proposed by Hoare for proving the 
correctness of each operation in the implementation of an abstract data type [Hoa72]. 

We model the processor as having states in the set Qpipe, and the behavior of the 
processor for each clock cycle of operation by a next-state function ^pipe: Qpipe ^ 
Qpipe- Similarly, the state visible to the assembly language programmer (typically the 
main memory, integer and floating point registers, program counter, and other status 
registers) is modeled by a state set Qprog and the execution of a single program instruc- 
tion by a next-state function ^prog- Qprog ^ Qprog- In our simplified formulation, we 
we do not consider the input or output to the processor, but rather that the action taken 
on each step is determined by the program or pipeline state. 

Our task is to show a correspondence between the transformations on the pipeline 
state by the processor and on the program state by the instruction execution model. 
This correspondence can be described by an abstraction function Abs: Qpipe ^ Qprog 
identifying which program state is represented by a given pipeline state. Typically, this 
corresponds to the effect of completing any instructions in the pipeline without fetching 
any new instructions. For each pipeline state, there must be a value k indicating the 
number of program instructions fetched in a given cycle that are ultimately executed. 
For example, classical RISC pipelines have k < 1, while superscalar pipelines have k 
bounded by their “issue rate,” typically between 2 and 8. In some pipeline states, we 
will have a value of k less than its maximum (including possibly A: = 0). This can 
occur when instructions must be stalled due to resource conflicts or data dependencies. 
It also occurs when instructions are fetched and partially executed, but their results are 
discarded, e.g., due to a mispredicted branch. 

The first verification condition [Bur96], is the “correspondence” property illustrated 
in Figure 1 : 

'^Qpipe ^ Qpipe^A^ [^prog(^^'^ (Qpipe)) — ^^-^(^pipe (Qpipe))] (1) 

where denotes the A:-fold composition of ^prog- Since k is bounded by a small 
integer, we can eliminate the existential quantification in this equation by forming a 
disjunction over the possible values of k. For example, a dual-issue pipeline would 
have the verification condition: 



"^Qpipe ^ Q] 



pipe 



Abs(^Qpipo) — (^pipe (Qpipe)) ^ 

^prog(^^'^ (Qpipe)) ~ ^^>^(^pipe (Qpipe)) ^ 

^prog (^prog (^^>^ (Qpipe))) — ^^>^(^pipe (Qpipe)) 



( 2 ) 



We require as a second verification condition that Abs be surjective to guarantee 
that all program behaviors can be realized. That is, for every program state Qprog, there 
must be a state Qpipe such that Abs{Qpipe) = Qprog- 

We require as a third verification condition a “liveness” property that guarantees the 
processor can always make forward progress. Otherwise we could successfully “ver- 
ify” a processor that never changes state, giving k = 0. This can be expressed by the 
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verification condition: 



'^Qpipe ^ Q] 



-pipe 



[^prog(^^'^(Qpipe)) 7^ ^^'^(Qpipe)] 
3M^6s(Qpipe) ^ ^6s(<^^ip,(Qpipe))] 



(3) 



That is, as long as the corresponding program state is one in which the program makes 
forward progress (e.g., it is not repeatedly executing an instruction that jumps to it- 
self), the pipeline will make forward progress within k cycles for some value of k. In 
this paper, as with most of the research on processor verification, we will focus on the 
correspondence property given by Equation 1. 

Observe that the abstraction function can be arbitrary, as long as it satisfies the three 
properties listed above. The soundness of the verification is not compromised by an 
incorrect abstraction function. That is, an invalid abstraction function will not cause the 
verifier yield a “false positive” result, declaring a faulty pipeline to be correct. We can 
let the user provide us with the abstraction function [BF89,NJB97], but this becomes 
very cumbersome with increased pipeline complexity. Alternatively, we can attempt 
to derive the abstraction function directly from the pipeline structure [BD94]. Unlike 
simulation-based test generation, using information about the pipeline structure does 
not diminish the integrity of the verification. 

Burch and Dill [BD94] first proposed using the pipeline description to automatically 
derive its own abstraction function. They do this by exploiting two properties found in 
many pipeline designs. First, the programmer- visible state is usually embedded within 
the overall processor state. That is, there are specific register and memory arrays for the 
program registers, the main memory, and the program counter. Second, the hardware 
has some mechanism for “flushing” the pipeline, i.e., to complete all instructions in 
the pipeline without fetching any new ones. For example, this would occur when the 
instruction cache misses and hence no new instructions could be fetched. A symbolic 
simulator, which computes the behavior of the circuit over symbolically-represented 
states, can automatically derive the abstraction function. First, we initialize the circuit 
to an arbitrary, symbolic state, covering all the states in Qpipe- We then symbolically 
simulate the behavior of a processor flush. We then examine the state in the program 
visible register and memory elements and declare these symbolic values to represent 
the mapping Abs. Using similar symbolic simulation techniques, we can also compute 
the effect of the processor on an arbitrary pipeline state ^pipe and the effect of executing 
an arbitrary program instruction ^prog- Thus, a symbolic simulator can solve the key 
problems related to verifying pipeline processors. 



3 Logic of Equality with Uninterpreted Functions (EUF) 

The logic of Equality with Uninterpreted Functions (EUF) presented by Burch and Dill 
[BD94] can be expressed by the following syntax: 

term ::= ITE (formula, term, term) 

\ f unction-symbol (term , . . . ,term) 
formula ::= true | false | (term = term) 
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I (formula A formula) \ (formula V formula) \ -^formula 
I predicate-symbolferm ^ . . . , term) 

In this logic, formulas have truth values while terms have values from some arbitrary 
domain. Terms are formed by application of uninterpreted function symbols and by 
applications of the ITE (for “if-then-else”) operator. The ITE operator chooses between 
two terms based on a Boolean control value, i.e., /TE(true, xi, ^ 2 ) yields x\ while 
/TE(false , , ^ 2 ) yields X 2 . Formulas are formed by comparing two terms for equality, 

by applying an uninterpreted predicate symbol to a list of terms, and by combining 
formulas using Boolean connectives. A formula expressing equality between two terms 
is called an equation. 

The ITE operator distinguishes this logic from other logics of uninterpreted func- 
tions, e.g., that used by Shostak [Sho79]. It can be used to model the behavior of “mul- 
tiplexors” in hardware as well as the effect of a conditional operation in a program. 
Observe also that this operation has a formula as an argument. We use truth values 
to represent control values rather than introducing a separate Boolean data type. As a 
consequence, our logic allows terms to contain formulas, and vice-versa. Although this 
nesting of operations can be “flattened” into a more conventional form such as conjunc- 
tive normal form, this process can cause the formula to grow exponentially. Instead, we 
prefer to devise decision procedures that can operate directly on our logic. 

Every function symbol / has an associated order, denoted ord(f), indicating the 
number of terms it takes as arguments. Function symbols of order zero are referred to as 
domain variables. We use the shortened form v rather than v{) to denote an instance of a 
domain variable. Similarly, every predicate p has an associated order ord (p) . Predicates 
of order zero are referred to as propositional variables. 

The truth of a formula is defined relative to a nonempty domain V of values and an 
interpretation 1 of the function and predicate symbols. Interpretation 1 assigns to each 
function symbol of order k a function from to V, and to each predicate symbol of 
order k a function from to {true, false}. Given an interpretation 1 of the function 
and predicate symbols and an expression E, we can define the valuation of E under /, 
denoted 1 [E] , according to its syntactic structure. 1 [E] will be an element of the domain 
when E is a term, and a truth value when E is a formula. 

A formula E is said to be true under interpretation I when I[E] equals true. It is 
said to be valid over domain V when it is true for all interpretations over domain V. E 
is said to be universally valid when it is valid over all domains. 

4 Reducing EUF to Propositional Logic 

Ackermann has shown [Ack54] that the universal validity of any EUF formula E can be 
decided by considering only interpretations over a finite domain. In particular, it suffices 
to have a domain as large as the number of syntactically distinct function application 
terms occurring in E. Such a domain provides enough distinct values to capture all 
possible combinations of equalities and inequalities between terms — the only property 
of terms that our logic considers. 

Ackermann also described a technique for eliminating all applications of function 
and predicate symbols having nonzero order. Each function application is replaced by 
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a domain variable and then constraints are added to enforce functional consistency. For 
example, if formula F includes terms f{xi) and /(^ 2 ), we would introduce domain 
variables fx^ and fx2- We would modify F to use these domain variables rather than 
their respective function application terms, giving formula F'. The verification condi- 
tion would then be expressed as [xi = X 2 ^ fx^ = /X 2 ] ^ F^ . Observe how the 
antecedent enforces functional consistency. By this method, any EUF formula F can be 
transformed into a formula F* containing only domain and propositional variables. 

In principle we can therefore reduce any EUF formula F having n distinct function 
application terms to a propositional logic formula by considering as domain the set of all 
bit vectors of length m, for some value m > log 2 n. Each term is then represented as a 
vector of n formulas, with each domain variable encoded as a vector of m propositional 
variables. We implemented a variation on this scheme using ordered Binary Decision 
Diagrams (BDDs) [Bry86] to represent the Boolean functions encoding the terms and 
formulas symbolically [VB98]. We were able to verify a simple RISC processor imple- 
menting only arithmetic instructions. Unfortunately, we found that the BDDs became 
too complex as we added memory load and store instructions or branch instructions. 
The interactions between the terms representing successive instructions created circu- 
lar constraints on the variable ordering that precluded having a good variable ordering. 
More recent work by Pnueli et al [PRSS99] has shown that by examining the detailed 
structure of the equations in a formula, much tighter bounds can be obtained on the size 
of the domain associated with each domain variable. 

Goel et al [GSZAS98] describe an alternate approach to reducing formulas in a logic 
of equality with uninterpreted functions to propositional logic. They first use Acker- 
mann’s method to replace all function applications with domain variables coupled with 
constraints to impose functional consistency. They then introduce a propositional vari- 
able 6ij for each pair of domain variables Xi and xj in the formula, encoding whether 
or not the two variables are equal. Based on these variables they generate a proposi- 
tional formula for each equation encoding the conditions under which the two argument 
terms will have equal valuations. From this they can generate a propositional formula 
describing the conditions under which the original formula evaluates to true. This for- 
mula must include constraints to enforce the transitivity of equality among the terms. 
Their BDD-based implementation of this approach was able to verifying only relatively 
simple pipelines. 

5 Positive Equality 

We have recently shown that major improvements can be obtained by exploiting the 
polarity of the equations in the original formula F before replacing any function appli- 
cations with domain variables. Let us introduce some notation regarding the polarity of 
equations and their dependent function symbols. For a formula F of the form 7i = ^ 2 , 
we say this equation is a positive equation of F. For formula F of the form -iF 1 , any 
positive equation of F\ is a negative equation of F, and any negative equation of F\ is 
a positive equation of F. For formula F of the form Fi A F2 or Fi V F 2 , any positive 
(respectively, negative) equation of either Fi or F 2 is a positive (resp., negative) equa- 
tion of F as well. As we consider all of the equations occurring in F, we will also have 
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those that appear as part of the formulas controlling ITE operations. We label these to 
be both positive and negative. 

For term T of the form /('i i, . . . /i^), function symbol / is said to be a data symbol 
of T. For term T of the form ITE{b\ /i’ 2 ), any function symbol that is a data symbol 
of either or 7 2 is a data symbol of T. 

A function symbol / is said to be a p-function symbol of formula F if there are 
no negative equations occurring in F for which / is a data symbol of one of the ar- 
gument terms. Typically these will be symbols that either are not data symbols of any 
equation or are data symbols only of the top-level verification conditions. For verifying 
the correspondence property given by Equation 1, we will see that we can represent 
all operations involving program data and addresses with p-function symbols. The only 
function symbols that do not qualify as p-function symbols in our application are those 
representing register identifiers. 

We can exploit the presence of p-function symbols to greatly reduce the number of 
interpretations that must be considered to determine universal validity. Let F denote a 
subset of the function symbols occurring in F. We say that interpretation I is diverse 
with respect to F for F when for any function application term f{Si, . . . , where 
f e F and any other function application term g{Ui, . . . ^Ui) wehave i , Sk)] = 

1 [g{U^ , . . . , LO] iff / = ^ and i = 1 [L,] for 1 < i < k. Interpretation 1 is said to 
be “maximally diverse” if it is diverse with respect to the set of all p-function symbols 
in F. 

Theorem 1. P -formula P' is universally valid if and only if it is true in all maximally 
diverse interpretations. 

The essential idea behind this theorem is that a maximally diverse interpretation 
forms a worst case as far as determining the validity of a formula. For any less diverse 
interpretation i, we can systematically derive a maximally diverse F such that among 
the equations, only the positive ones can change their valuations under F , and these can 
only change from true to false. Therefore the valuation of F' under the two interpre- 
tations must either be equal or have 1 [P'] = true and F[P'] = false. 

6 Eliminating Function Applications 

We have devised a method of eliminating function application terms from a formula 
that differs from that of Ackermann [Ack54]. Our method uses a nested ITE structure to 
capture the functional consistency constraints rather than imposing these as antecedents 
to the formula. Our method has the advantage that it leads to a direct method to exploit 
positive equality. 

We illustrate our technique for replacing function applications by domain variables 
with a small example. Let F be an EUF formula containing three terms applying func- 
tion symbol /: /(^ 2 ), and /(xs), which we identify as terms Ti, T 2 , and 'is, 

respectively. Let vfi, vf 2 , and vf^ be domain variables that do not occur in F. We 
generate new terms Ui, II 2 , and Us as follows: 



Ui = vf. 



(4) 
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IJ 2 = ITE{x 2 =xi,vf ^,vf 2 ) 

Us = ITE{xs=xi,vfi,ITE{xs = X2,vf2,vfs)) 

We then eliminate the function applications by replacing each instance of Ti in F by 
Ui for 1 < i < 3. Observe that as we consider interpretations with different values 
for variables vf^, vf 2 , and rj/g, we implicitly cover all values that an interpretation of 
function symbol / may yield for the three arguments. The nested ITE structure shown 
in Equation 4 enforces functional consistency. 

The general method for eliminating function applications follows that of our ex- 
ample formula. For a function symbol / of nonzero order and having n instances, we 
generate domain variables vf 2 , • • • jvf n- Rather than directly replacing function 

application term F with a domain variable, we generate a nested ITE structure compar- 
ing the arguments of this application to those of each application term Tj for j < i. As 
we consider different interpretations for the newly-generated domain variables, these 
nested ITE structures implicitly cover all possible interpretations of the function appli- 
cation terms while preserving functional consistency. A similar technique can be used 
to eliminate all instances of a predicate symbol p, using newly- generated propositional 
variables ap 2 ^ • • •• This process is repeated for all function and predicate symbols 
yielding a formula T'* that contains only domain and propositional variables. 

Our method can exploit positive equality by considering only distinct interpretations 
of the domain variables that are generated when eliminating the p-function symbols. 
Define Sp to be the set of domain variables occurring in F that are p-function symbols, 
plus the set of all domain variables of the form vf^ generated when eliminating the 
applications of each p-function symbol /. 

Theorem 2. EUE formula F is universally valid if and only if its translation F* is true 
under all interpretations I* that are diverse over Sp. 

This theorem follows by an inductive application of the following argument. Sup- 
pose / is in the set of function symbols that I is diverse over F for formula F, and 
that we replace all instances of / with nested ITE structures involving newly- generated 
domain variables vf i, . . . ,vf ^io give a formula Then we can construct an interpre- 
tation F for F' that is diverse over F — {/} U {vf , vf such that F[F'] = I [F]. 
Conversely, for any interpretation F of F\ we can extend it to an interpretation / in- 
cluding an interpretation of function symbol / such that I[F] = F[F']. 

We can further simplify the task of determining universal validity by choosing par- 
ticular domains of sufficient size and assigning fixed interpretations to the variables in 
Fp. Let Fg be the set of variables occurring in L'* that are not in Fp. Let Vp and Vg 
be disjoint subsets of domain 19 such that \Vp\ > \Fp\ and \Vg\ > \Fg\. Let a be any 
1-1 mapping a: Ff ^ T>p. 

Corollary 1. Formula F is universally valid if and only if its translation L'* is true 
for every interpretation F such that F{vp) = a{vp) for every variable Vp in Ff, and 
/* {vg) is in Vg for every variable Vg in Fg. 

This property follows because any interpretation /* that is diverse with respect to 
Fp must provide a 1-1 mapping from the variables in Fp to domain values. It must 
therefore be isomorphic to some interpretation where i*(vp) = a{vp) for every Vp G 

Fp. 
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7 Generating a Propositional Formula 

We have reduced the problem of deciding the universal validity of an arbitrary formula 
to one of determining whether a translated formula containing only domain and 
propositional variables is true under all interpretations that are diverse with respect to 
some subset Up of the domain variables in F"" . Our method borrows from [GSZAS98] 
the idea of introducing propositional variables to encode the equalities between domain 
variables. In our case, however, we only introduce propositional variables for a subset 
of the domain variable pairs. 

For each pair of domain variables, u and v occurring in F * , we only need to generate 
a propositional variable eu^v when both u and v are in Sg, and there is some equation 
Ti = 7 2 in F* such that u appears as a data symbol of Ti while v appears as a data 
symbol of 1 2 , or vice-versa. This encoding exploits the property that if either w or t? is in 
Up, we can assume they have distinct interpretations. It also exploits the sparse structure 
of the equations — we need only consider the relation between pairs of variables that 
appear as data symbols of terms being compared for equality. We can then construct a 
propositional formula F that is a tautology if and only if formula F'* , and consequently 
our original EUF formula F, is universally valid. 

As with [GSZAS98], formula F should include constraints of the form 6u,v A 
(^v,w ^ to consider only interpretations of these variables that satisfy the transitiv- 
ity of equality. We have found in verifying microprocessor designs that these constraints 
can often be omitted — hardware designs do not seem to make use of any principles as 
mathematically deep as transitivity. 

8 Modeling Microprocessors in EUF 

Our verifier starts with a “term- level” model of both the pipeline and the program ver- 
sion of the processor. That is, we have already abstracted away details of the datapath, 
replacing functional units with uninterpreted functions. We represent control signals 
as formulas and multi-bit signals such as operation codes, register identifiers, memory 
addresses and data as terms. Each instruction is coded as a collection of formulas and 
terms based on an instruction format having a 3-bit instruction type field, an opcode, 
two source and one destination register identifiers, and an immediate data value. The 
task of proving a formal correspondence between such a model and a more detailed 
register-transfer level model remains a challenging research problem. 

To model the register file, we use the memory model described by Burch and Dill 
[BD94], creating a nested ITE structure to encode the effect of a read operation based on 
the history of writes to the memory. That is, suppose at some point we have performed 
k write operations with addresses given by terms Ai, ... ,Ak and data given by terms 
Di, . . . , Dk. Then the effect of a read with address given by the term A is given by the 
term: 



ITE{A = Ak,Dk,ITE{A = Ak-i,Dk-i,--- ITE{A = Ai,DiJi{A))---)) (5) 



where // is an uninterpreted function expressing the initial memory state. 
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By careful design of the term-level model, we are able to treat all symbols repre- 
senting opcodes, program data, and memory addresses as p-function symbols and hence 
the domain variables encoding such values are in Up. The symbols representing register 
identifiers, on the other hand, do not satisfy the restrictions we impose on p-function 
symbols. In particular, the pipeline control must compare the register identifierss of 
successive instructions to determine when stall or register forwarding conditions arise. 
The memory model described by Equation 5 involves equations over address terms that 
control the outcome of ITE operations, and hence any data symbols occurring in such 
terms are not p-function symbols. This causes no problems for the register file, since the 
addresses are register identifiers. We cannot use such a memory model to represent the 
main data memory, however, or we would be unable to use p-function symbols to repre- 
sent instruction and data addresses. Instead, we use a more abstracted memory model in 
which the effect of a write operation is to cause an arbitrary change of state (represented 
by an uninterpreted “memory update” function) for the entire memory. Such a model is 
a conservative abstraction of a true memory, but it suffices for modeling processors that 
perform their memory operations in program order. 

9 Experimental Results 

We have verified a variety of pipelined processor designs ranging from a single-issue, 
5-stage pipeline similar to the DLX processor [HP96] to a variety of superscalar dual- 
issue pipelines. The most complex of these can handle all instruction types in either 
side of the pipeline. Our verification times range from less than 1 second for the single- 
issue case up to 50 seconds for the superscalar cases. The memory requirement (often 
the limiting factor for BDD-based applications) ranges from 1.5 to 80 Megabytes. The 
number of propositional variables ranges from 47 to 189, with between 17 and 129 
comprising the Cu,v variables encoding the relations between register identifiers. 

By contrast, Burch [Bur96] verified a somewhat simpler dual-issue processor only 
after devising 3 different commutative diagrams, providing 28 manual case splits, and 
using around 30 minutes of CPU time. We have particularly found that our BDD-based 
approach can handle the disjunctive verification condition of Equation 2. Methods based 
on combinatorial search have unacceptably long run times, unless the disjunction is split 
into separate cases. 

We have also experimented with using several different Boolean satisfiability (SAT) 
packages to prove that the complement of our generated propositional formula is not 
satisfiable. We have found these packages perform very well for the single-issue model, 
and they can often find counterexamples in complex designs containing errors. However 
they do not complete even after running for many hours when attempting to verify a 
correct dual-issue design. 

10 Conclusions 

When verifying pipelined microprocessors using abstracted data paths, we have found 
that the properties of the EUE formulas to be proved valid can be exploited to greatly 




12 



Randal E. Bryant et al. 



simplify the propositional formulas we generate. As a consequence we have been able 
to verify complex superscalar pipelines with a high degree of automation. 

Binary Decision Diagrams provide a powerful mechanism for verifying complex 
systems. Compared to methods based on combinatorial search, including both decision 
procedures for EUF as well as SAT solvers for the propositional translation of the ver- 
ification condition, BDDs capture the full structure of a problem as a single data struc- 
ture, rather than repeatedly enumerating and disproving possible counterexamples. Our 
experience has been that BDDs consistently outperform search-based methods when 
verifying complex designs. 

BDDs can only be applied to tasks that are reducible to either propositional logic 
or to quantified Boolean formulas. An important area of research is to see what other 
classes of logic can be efficiently reduced to one of these forms. 
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Abstract* This paper reports the main ideas behind the design, the 
benchmarks, the organization, and the rating of the ATP systems of the 
TABLEAUX~99 Non-Classical (Modal) System Comparisons (TANCS). 



1 Introduction 

In order to stimulate automatic theorem proving (ATP) development in non- 
classical logic, and to expose ATP systems to researchers, the TABLEAUX con- 
ference has decided to promote a Non-Classical Systems comparison (TANCS). 

Its aim is to provide a set of benchmarks and a standardized methodology 
for the assessment and comparison of ATP systems in non-classical logics, as it 
is done for first-order logic with the CADE System Competition [18]. At first, 
this should promote the competition among ATP systems and yield novel solu- 
tions. Second, a scientific approach to benchmarking non-classical ATP systems 
is needed to avoid that experimental “results” claimed at a conference are re- 
butted at the next^. TANCS is a step in the this direction. 

The first comparison has been held in 98 [1] on modal and related (e.g. ACC) 
logics [4,9,3] and this continues the series. 

2 Design and Organization of the Comparison 

The first problem of a comparison is how to rate two systems. Since the aim of 
ATP is solving problems, two natural measures are effectiveness and usability. 

Effectiveness can be measured on the basis of the type and number of prob- 
lems solved, the average runtime for successful solutions, the scaling of the prover 
as problems gets bigger. Usability can be assessed on the basis of availability via 
web or other sources, portability to various platforms, need for additional soft- 
ware besides the prover itself, ease of installation and use (eg visual interfaces), 
possibility of customizing the search heuristics, etc. 

* More details are at htpp://www.dis.uniromal . it/^massacci/TANCS. 

** I would like to thank F. Donini, R. Gore, P. Liber at ore, N. Murray, and A. Voronkov. 

This work has been supported by a CNR fellowship and by CNR and MURST grants. 
^ See for instance the claims by Ginnchiglia & Sebastiani [7], rebutted by Hnstadt & 
Schmidt [10] and then the (final?) reply by Ginnchiglia et al. in [6j. 

Neil V. Murray (Ed.): TABLEAUX’99, ENAI 1617, pp. 14-18, 1999. 
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The second decision regards the choice of benchmark problems^ which offer 
the possibility to generate enough different samples so that “benchmark-tailored” 
techniques will not work, and which are either representative of the difficulties of 
the underlying satisfiability decision problem or representative of some real-world 
case. Third, the rating of the systems may not be based only on raw running 
times nor on internal aspects of the algorithm (e.g. Davis-Putnam calls) as we 
may end up with the impossibility of comparing in any fair way the performance 
of ATP using different hardware, operating systems and calculi. 

For TANCS-99, we used benchmarks based on randomly generable formulae, 
as first suggested in [17] for SAT and applied to modal logic in [7]. Unfortunately, 
just taking a standard 3-SAT benchmark and “generalizing it” to modal logic 
may lead to many pitfalls [10]. We may even end up with too easy a benchmark 
which does not capture the complexity class of the underlying decision problem. 
Moreover, the use of randomly generated formulae implies that care is needed 
to use a good “random” number generator [16]. 

The TANCS-99 benchmarks were grouped into main divisions and categories, 
as in the CADE System Competition [18], according the complexity of the un- 
derlying decision problem and certain properties of the input formulae. 

The following divisions were envisaged: a modal Pspace division, a multi- 
modal PSPACE division, a global Pspace division, a modal EXPtime division. 
We recall that deciding modal logic satisfiability is Pspace complete [14] and 
EXPTiME-complete if one uses global axioms Fitting-style [9], although not 
necessarily every benchmark set is able to capture this complexity class. For an 
introduction to modal or description logics see also [3,4,9]. 

3 Benchmark Problems 

The basic idea behind each benchmark is that for each category within a division 
there are few referenee problems which every entrant of the comparison has to 
try. Then a C program can generate all random instances of one^s size and choice. 

Besides parameters such as numbers of clauses and variables, the C program 
makes it possible to choose between a “plain” version of the benchmark and 
“modalized” one. With the modalized version we may try to analyze one of the 
interesting question of modal theorem proving: how can we tell that a prover 
is lousy on modal reasoning but makes up its speed just by a very efficient 
propositional Davis-Putnam implementation? 

This check can be done by eneoding propositional variables as modal formulae 
[8]: in the (satisfiability preserving) encoded problem there is only one variable 
and thus propositional reasoning is encoded as modal reasoning. Two encodings 
were possible: a simple encoding based on logic K and an harder one based on the 
logic S4. Modalized problems turned out to be harder than their plain version. 

Below we sketch the generation procedure only for the submitted problems. 

^ The format of the benchmarks was a variant of the TPTP benchmark format for 
first-order logic [18]. See also TPTP’s web page http://www.es .jcu.edu. au/^tptp. 
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The Bounded Modal CNF benchmark has been proposed in [7] and later on 
corrected in [10]. As for the Random 3-SAT benchmark for propositional satis- 
fiability [17], a set of modal clauses is generated in a random way with modal 
depth bounded by d (default 2). Each clause at depth 0 has k propositional lit- 
erals (def. 3), which are obtained by randomly generating k different variables, 
each negated with probability 0.5. For clauses at depth x a literal is, with equal 
probability, either a modal clause Dc of depth a? — 1 or a propositional literal. 

Setting d = 0 will generate the 3CNF random SAT problems according the 
fixed length clause model [17], a good representative of the hardness of the NP 
complexity class. Unfortunately, setting d > 1 does not yield problems in of 
the polynomial hierarchy up to P space [13]. As shown in [8], we are stuck at 
NP, no matter how big or hard^ our instances are. Thus, this benchmark is a 
problem in NP crafted into a modal language. 

The next benchmark. Unbounded Modal QBF, aims at solving this problem. 
It has been first proposed here for TANCS and the main intuition is to encode 
Quantified Boolean Formulae (QBF) into modal logic, using a clever variant of 
Ladner^s original translation [14] so that auxiliary variables are not introduced. 

In practice, we generate a quantified boolean formula with c clauses, alterna- 
tion depth equal to d, and for each alternation at most v variables are used. A 
formula like VU 32 U 31 -3^22^21 .Vui 2 Uii. 3 uo 2 Poi*c?^/c™ciauses(p 01 . . . U 32 ) can be gen- 
erated with d = 3 and v = 2. 

For each clause we randomly generate k different variables (default 4) and 
each is negated with probability 0.5. The first and the third variable (if it ex- 
ists) are existentially quantified. The second and fourth variable are universally 
quantified. This aims at eliminating trivially unsatisfiable formulae as reported 
in [2]. Other literals are either universal or existentially quantified variables with 
probability 0.5. The depth of each literal is randomly chosen from 1 to d. 

The resulting formula is translated into modal logic with a variant of Ladner^s 
encoding and the addition of formulae to guarantee the alternation of quantifiers 
in a tree-like form. For every fixed valued of d we can capture the problems in 
in the polynomial hierarchy. That^s better (we move upward in the complexity 
chain), yet Pspace can only be reached by an unbounded value of d. 

Finally, the benchmark Periodic Modal CNF can capture Pspace. It encodes 
periodic satisfiability problems [15] with global axioms Fitting-style [4]. 

Periodic satisfiability has been introduced by Orlin [15]. The intuition is that 
propositional variables are indexed by time instants, so that a clause may refer 
to a constraint spanning over different time instants. A periodic satisfiability 
problem is a problem in which the time instants of the literals of the same clauses 
are distant at most d, where d is a prefixed constant. This problem has been 
proved by Orlin himself to be PSPACE-complete when d > 1. The embedding 
of periodic satisfiability into modal logic has been proposed here for the first 
time and is a faithful translation of the problem from both a semantical (a set 
of clauses is periodically satisfiable iff the translation is modally satisfiable) and 
computational perspective. 

^ Expensive checks are also necessary to avoid the generation of trivial instances. 
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In practice, a modal periodic formula has c clauses, and in each clause a 
(modal) literal may refer to the current instant of time, and be a propositional 
literal or to a future time randomly chosen from 1 to depth d, and thus have 
the form U^i. For each instant of time, at most v variables are used and for each 
clauses we generate k (default 4) different variables and each is negated with 
probability 0.5. The first literal is always from the present instant of time and 
the second literal (if it exists) alway refers to a future instant of time. Other 
literals are chosen among present or future instants of time at random. 

4 Performance Analysis and Conclusions 

The running time on reference problems is the yardstick used to compare provers 
as the problems get harder and, above all, to give a reasonably fair comparison 
of different provers run on different machine, operating systems etc. as done for 
the DIMACS challenge [12]. 

In a nutshell, for every prover we compute the geometric mean time on the 
reference problems and then normalize the run time of each problem with respect 
to (i.e. divide by) this reference mean time. Then we obtain a relative ranking 
which makes it possible to abstract away, at least to a certain extent, machine 
and run dependent characteristics [5]. Notice that the geometric mean time must 
be used, otherwise we may draw meaningless conclusions [5]. Scaling, ability of 
handling large instance, and asymptotic behavior emerge more clearly [11, 12]. 

A compacted report of the comparision is described in table 1 (more details 
are in the web pages). Note that the totals include timeouts and that numbers are 
not absolute value but relative performance wrt the benchmark Bounded Modal 
CNF with 8 clauses and 4 variables. Timeouts were only obtained by KtSeqC on 
“NP problems” and by DIP on the harder Periodic Modal CNF. The dash means 
that the ATP system has not entered any result in that category. 

We may see that DIP is the most effective system (KtSeqC scaled slightly 
better but had timeouts and submitted less test results). It is worth mentioning 
that KtSeqC is the most portable, since it just require a C compiler, whereas DIP 
requires ML and HAM-ALC requires Lisp. More details on the ATP systems can 
be found in the corresponding system descriptions in these proceedings. 

We may conclude as in [1]: systems and benchmarks of this comparison can 
be considered a main reference point for provers in modal and description logics. 
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Table 1. DLP, HAM, and KTS Timings 



Sample 

Sample 


C V 


Total 

DLP HAM KTS 


% 


Sat 

DLP HAM KTS 


% 


Unsat 
DLP HAM 


Tout 


BoundCnf 


8 


4 


1.00 


1.00 


1.00 


100% 


1.00 


1.00 


1.00 










BoundCnf 


16 


4 


3.89 


2.00 


0.96 


100% 


3.89 


2.00 


0.96 










BoundCnf 


32 


4 


7.84 


4.53 


1.70 


100% 


7.84 


4.53 


0.96 








14%KTS 


BoundModK 


8 


4 


2.96 


1.95 


0.96 


100% 


2.96 


1.95 


0.96 










BoundModK 


16 


4 


5.44 


4.00 


1.04 


100% 


5.44 


4.00 


1.04 










BoundModK 


32 


4 


10.59 


10.62 


5.13 


100% 


10.59 


10.62 


1.93 








25%KTS 


UnbndQbfCnf 


8 


"2 


9.00 


19.54 




94% 


9.28 


20.27 




6% 


5.71 


11.32 




UnbndQbfCnf 


16 


2 


10.05 


24.33 




19% 


12.96 


31.90 




81% 


9.47 


22.86 




UnbndQbfCnf 


32 


2 


12.26 


38.33 












100% 


12.26 


38.33 




UnbndQbfModK 


8 


2 


12.88 


17.85 












100% 


12.88 


17.85 




UnbndQbfModK 16 


2 


17.61 


26.09 












100% 


17.61 


26.09 




UnbndQbfModK 32 


2 


26.27 


44.55 












100% 


26.27 


44.55 




PersatCnf 


8 


T 


1.08 






100% 


1.08 














PersatCnf 


16 


4 


2.12 






100% 


2.12 














PersatCnf 


32 


4 


7.99 






100% 


7.99 














PersatModK 


8 


4 


1060.95 






63% 397.78 












37%DLP 


PersatModK 


16 


4 


3789.22 






6% 


16.60 












94%DLP 


PersatModK 


32 


4 


1898.29 






19% 


49.03 






19% 2195.47 




62%DLP 
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DLP [Patel-Schneider(1998)] and FaCT [Horrocks(1998)] are two recent descrip- 
tion logic systems that contain sound and complete reasoners for expressive description 
logics. Due to the equivalences between expressive description logics and propositional 
modal logics, both DLP and FaCT can be used as satisfiability checkers for proposi- 
tional modal logics. 

FaCT is a full-featured system that contains a highly-optimized satisfiability checker 
for a superset of FaCT has an interface to allow the direct satisfiability check- 

ing of propositional modal formulae. FaCT is available for research purposes from 
http://www.cs.man. ac. uk/^ horrocks. 

DLP is an experimental system, designed to investigate various optimization tech- 
niques for description logic systems, including many of the optimizations pioneered in 
FaCT. DLP is available for research purposes from http://www.bell-labs.com/user/pfps 
/dip. DLP contains a highly-optimized satisfiability checker for a superset of Proposi- 
tional Dynamic Logic (PDL), and includes a simple interface for the direct checking 
of the satisfiability of formulae in PDL as well as the modal logics 
K4(m),and S4(^). 

Both DLP and FaCT have performed very well on several comparisons of modal 
provers [Horrocks and Patel-Schneider(1998a), Horrocks and Patel- Schneider( 199 8b)]. 
The remainder of this submission will concentrate on DLP, as it is somewhat faster 
than FaCT. Significant differences from FaCT will be noted. 

Architecture and Algorithm 

At the heart of the DLP system is its highly-optimized tableaux satisfiability engine. 
DLP first performs a lexical normalization phase, which uniquely stores sub-formulae; 
eliminates repeated conjuncts and disjuncts; replaces local tautologies and contradic- 
tions with true and false, respectively; and performs several other normalization steps. 
It then attempts to construct a model of the normalized formulae; if it can construct the 
model then the formulae is satisfiable, if not, the formula is unsatisfiable. 

DLP deals with non-determinism in the model construction algorithm by perform- 
ing a semantic branching search, as in the Davis-Putnam-Logemann-Loveland proce- 
dure (DPLL), instead of the syntactic branching search used by most earlier tableaux 
based implementations [Giunchiglia and Sebastiani(1996)]. DLP deterministically ex- 
pands disjunctions that present only one expansion possibility and detects a clash when 
a disjunction has no expansion possibilities. 

DLP performs a form of dependency directed backtracking called backjumping, 
backtracking to the most-recent choice point that participates in a clash instead of to 
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the most-recent choice point. To support backjumping, DLP keeps associated with each 
formula the set of choice points that gave rise to that formula. 

DLP (but not FaCT, which has a different caching mechanism) caches the satisfia- 
bility status of all modal nodes that it encounters, and uses this status when a node with 
the same formula is seen again. DLP uses a combination of heuristics to determine the 
next disjunct on which to branch: it tries to maximize backjumping by first selecting 
disjunctions that do not depend on recent choice points, and it tries to maximize deter- 
ministic expansion by using the MOMS heuristic [Freeman(1996)] to select a disjunct 
from amongst these disjunctions. DLP defers modal processing until all propositional 
processing is complete at a node, again using a backjumping maximization heuristic to 
determine the order in which modal successors are explored. 

To handle transitive modalities, and modality constructs in PDL, DLP checks for 
loops in the model it is constructing. If a loop is detected, it must be classified as either 
as a loop that leads to satisfiability or a loop that is unsatisfiable. This loop checking 
allows DLP to handle the S4 problem classes. 



Implementation 

DLP is implemented in Standard ML of New Jersey, and uses many of the features of 
the standard libraries of this language. DLP is a mostly- functional program in that the 
core of the engine has no side-effects. In fact, the only side effects in the satisfiability 
engine involve the unique storage of sub-formulae and node caching. (FaCT has a more 
traditional implementation in LISP.) 

The unique storage of sub-formula and node caching are handled in DLP by a for- 
mula cache. When a formula is encountered, it is looked up in the cache. If the formula 
is in the cache, it is reused; if not, a new formula is created and added to the cache. Each 
formula has a satisfiability status; when a new node is created, the formulae for the node 
are conjoined and this formula is looked up in the formula cache; when a node’s status 
is determined, the satisfiability status of its formula is updated. 



Special Features 

Full PDL loop checking can be replaced in DLP by a simpler (and much less costly) 
loop checking mechanism for transitive modalities. An optimization that is valid for 
transitive modalities but not for transitive closure can also be enabled. These changes 
turn DLP into a satisfiability checker for a multi-modal logic where some or all of the 
modalities may be transitive. The standard embedding can also be used to allow DLP 
to reason with reflexive modalities. DLP is therefore able to handle many modal logics, 
including ^nd DLP was recently extended to allow 

global axioms. 

DLP has many options, including options to turn off all the above non-heuristic 
optimizations and options to vary the heuristic optimizations. The version of DLP used 
in the tests employs the simpler transitive modality loop checking, has all optimizations 
enabled, and uses the backjumping maximization and MOMS heuristics as described 
above. 
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Problem 


Num 


Sat 


Time Outs 


Time 


(sat) 


p-bound-cnf-K3-C8-V4-D2 


16 


16 


0 


0.016 


0.003 


p-bound-cnf-K3-C 1 6-V4-D2 


16 


16 


0 


0.032 


0.006 


p-bound-cnf-K3-C32-V4-D2 


16 


16 


0 


0.064 


0.014 


p-bound-modK-K3-C8-V4-D2 


16 


16 


0 


0.050 


0.007 


p-bound-modK-K3-C 1 6- V4-D2 


16 


16 


0 


0.096 


0.013 


p-bound-modK-K3-C32-V4-D2 


16 


16 


0 


0.190 


0.027 


p-bound-modS4-K3-C8-V4-D2 


16 


8 


7 


57.349 


57.116 


p-bound-modS4-K3-C 1 6-V4-D2 


16 


1 


15 


93.910 


93.861 


p-bound-modS4-K3-C32-V4-D2 


16 


0 


16 


100.000 


100.000 


p-unbound-qbf-cnf-K4-C8-V2-D3 


16 


15 


0 


0.162 


0.094 


p-unbound-qbf-cnf-K4-C 16-V2-D3 


16 


3 


0 


0.183 


0.094 


p-unbound-qbf-cnf-K4-C32-V2-D3 


16 


0 


0 


0.229 


0.093 


p-unbound-qbf-modK-K4-C8-V2-D3 


16 


0 


0 


0.232 


0.053 


p-unbound-qbf-modK-K4-C 1 6-V2-D3 


16 


0 


0 


0.319 


0.058 


p-unbound-qbf-modK-K4-C32-V2-D3 


16 


0 


0 


0.478 


0.064 


p-unbound-qbf-modS4-K4-C8-V2-D3 


16 


0 


0 


2.496 


0.018 


p-unbound-qbf-modS4-K4-C16-V2-D3 


16 


0 


0 


3.659 


0.026 


p-unbound-qbf-modS4-K4-C32-V2-D3 


16 


0 


0 


6.463 


0.049 


persat-cnf-K4-C8-V4-D2 


16 


16 


0 


0.016 


0.009 


persat-cnf-K4-C 1 6- V4-D2 


16 


16 


0 


0.038 


0.025 


persat-cnf-K4-C32-V4-D2 


16 


16 


0 


0.207 


0.185 


persat-modK-K4-C8-V4-D2 


16 


11 


5 


56.245 


56.234 


persat-modK-K4-C 1 6-V4-D2 


16 


1 


15 


93.769 


93.766 


persat-modK-K4-C32-V4-D2 


16 


3 


9 


74.895 


74.869 


persat-modS4-K4-C8-V4-D2 


16 


7 


0 


10.833 


10.666 


persat-modS4-K4-C 1 6- V4-D2 


16 


4 


0 


7.039 


6.714 


persat-modS4-K4-C32-V4-D2 


16 


2 


0 


3.041 


2.395 



Table 1. Reference Problems Results 



DLP is also a complete description logic system. It has an interface that can be used 
to define a collection of concepts and roles. DLP automatically computes the subsump- 
tion hierarchy of these concepts and provides facilities for querying this hierarchy. 



Performance Analysis 

DLP was only tested on the problems that used logics and possibly in- 

cluding global axioms. Testing was done on a machine with roughly the power of a 
Sparc Ultra 1. A time limit of 100 seconds was imposed for each problem instance. 
A special parser was written for DLP to input the problems. (Due to the fact that the 
problems were not in a format that FaCT could easily handle, FaCT was not run on the 
problems.) 

There are two times reported for each problem class in Table 1. The first times are 
for an entire run, including inputing the file and normalizing the resulting formula. The 
second times are for just the satisfiability checker itself. 
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V 


D 


C/V 1 






2 


3 


4 


5 


6 


7 


8 


16 


32 


64 


4 


1 


0.012 


0.014 


0.019 


0.022 


0.026 


0.030 


0.036 


0.087 


0.123 


0.236 


8 


1 


0.020 


0.031 


0.039 


0.056 


0.065 


0.078 


0.090 


0.947 


*29.581 


0.739 


16 


1 


0.047 


0.075 


0.105 


0.142 


0.180 


0.214 


0.264 


0.992 


*87.599 


*3.711 


4 


2 


0.016 


0.023 


0.031 


0.040 


0.046 


0.055 


0.064 


0.136 


0.359 


*7.701 


8 


2 


0.034 


0.049 


0.067 


0.084 


0.106 


0.129 


0.154 


0.402 


1.235 


2.269 


16 


2 


0.016 


0.023 


0.031 


0.040 


0.046 


0.055 


0.064 


0.136 


0.359 


*7.701 



Table 2. Generated Problems Results — bound-cnf-K3 (average time) 



Many of the reference problems were easy for DLP. The problems that were hard for 
DLP were the bound-modS4 problems and the persat-modK-K4 problems. They were 
much harder than the other problems. For the S4 problems this is probably because 
DLP uses an equality test to cut off modal loops. A subset test would probably be more 
effective We do not know why DLP is slow on the persat-modK-K4 problems. 

DLP was run on some larger bound-cnf-K3 problems. The results are shown in 
Table 2. Times marked with a indicate that some problem instances in the particular 
test exceeded the time bound. 

DLP has also been run on a number of other test suites. It did very well on the 
Tableaux’98 test suite. It also performs well on random formulae generated by other 
generators. A plot of its performance on random bound-cnf-K3 formulae with a modal 
depth of 2 and and 9 variables is given Figure 1. The plot shows the 50th, 60th, 70th, 
80th, 90th, and 100th percentiles of run time in seconds for various values of C/V (the 
ratio of clauses to variables). These results are competitive with the fastest propositional 
modal provers. 



Future Work 

We are in the process of designing and implementing a successor to DLP. This succes- 
sor will have a different algorithmic base, and incorporate a newer backtracking opti- 
mization called dynamic backtracking [Ginsberg(1993)]. This will allow the optimized 
handling of nominals, or description logic individuals. 
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Fig. 1. Percentile times for formulae with 9-1350 clauses (C) and 9 variables (V) 
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Abstract. In this paper we present the results of applying HAM-ALC, 
a description logic system for ACCMlZ^ to modal logic SAT problems. 



1 Introduction 

Research on description logics and modal logics tackles related problems from 
different viewpoints. One of the recent advances in the development of “fast” 
description logic systems was the FaCT architecture [4] which focuses on TBox 
reasoning. Besides optimizations for computing the subsumption hierarchy (e.g. 
taxonomic encoding and other techniques), the FaCT system is based on op- 
timized algorithms with appropriate data structures for speeding up the basic 
concept consistency test (dependency-directed backtracking, semantic branching 
[2] and caching of models). FaCT supports the logic ACC plus transitive roles, 
features and role hierarchies. In addition, generalized concept inclusions (GCIs, 
[1]) as well as cyclic terminologies are handled by preprocessing techniques and 
specific blocking strategies being used in the concept satisfiability algorithm [4] . 
Among other improvements for concept satisfiability checking, the importance 
of extensive model caching for concept terms and appropriate data structures for 
models is demonstrated by the evaluation results of the DLP system, a reimple- 
mentation of the algorithms used in the FaCT architecture [5]. One of the main 
results of the research on FaCT and DLP is that a well-designed combination of 
different techniques and strategies is necessary in order to dramatically increase 
system performance in the average case. However, neither FaCT nor DLP deals 
with A Boxes. 

In the following we discuss the optimized description logic system HAM- 
ALC, which has been developed to extend the facilities offered by FaCT. In 
addition, HAM-ALC supports ABox reasoning for the language ACCAflZ which 
is presented in [1] {ACC with number restrictions, role conjunction or role hi- 
erarchies as well as GCIs but without transitive roles). Besides optimizations 
for TBoxes, it provides optimized implementations for the well-known inference 
problems ABox consistency checking, instance checking, realization, instance re- 
trieval [1]. 
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In the following we briefly sketch how known optimization techniques for 
concept consistency checking can be exploited for building efficient ABox consis- 
tency checking architectures. Afterwards, we demonstrate that this architecture 
can also be used for effectively solving average-case modal logic SAT problems. 
These first tests indicate that the implementation overhead inherent in a system 
for expressive description logics supporting ABoxes can be reduced to a mini- 
mum compared to a concept consistency checking architecture provided by, for 
instance, DLP. 

2 Basic Architecture of HAM-ALC 

Similar to the techniques used in FaCT a preprocessing phase transforms con- 
cept expressions into negation normal form, removes duplicates, performs obvi- 
ous simplifications, detects obvious clashes, flattens nested and/or expressions, 
normalizes the order of disjunct s and conjuncts, and provides a unique identifica- 
tion for all concepts which are structurally equal. For each concept, its negated 
counterpart is precomputed in order to support a fast access to negations of 
concepts (required for clash detection, see below). 

ABox constraints consist of individual assertions {i : C) as well as role as- 
sertions ((^ 1 ,^ 2 ) • R)- The ABox consistency checker has to deal with (possibly 
cyclic) graph structures at least in a finite part of the ABox. Thus, HAM-ALC 
has to explicitly represent role assertions as well as individuals. For an individual 
assertion HAM-ALC represents its name and non-negated preprocessed concept 
expression with a separated negation sign and a set of dependency ABox con- 
straints documenting the origin of this assertion. The dependency constraints 
are required for dependency-directed backtracking (see below). In order to fa- 
cilitate extensibility HAM-ALC does not use special “encoding tricks” for rep- 
resenting concepts but uses record structures to store relevant information. It 
normalizes or-, all-, and number restriction concepts of constraints into their 
equivalent negated form (e.g. (Ci U C2) ^ “'(“'Ci H -<C2), (V R C) ^ -<(3 R ->C), 
and (3<n R) ^ -<(3>n+i R)) while representing the negation sign of the concept 
as part of the constraint itself. This architectural decision helps to speed up the 
usual clash checks that test whether two constraints i \ C\ and i : C 2 exist such 
that Cl n C2 is equal to _L). 

Constraints are considered as deterministic if their concept term is either 
atomic, an and-concept, or an or-concept with exactly one open disjunct (with 
an unknown truth value). The optimized algorithm treats the consistency test 
of ABox constraints generated by some- and at-least constraints as isolated sub- 
problems if value and at-most restrictions are carefully handled (see the calculus 
presented in [1]). 



2.1 Optimization Techniques 

Or-constraints are a major source of complexity in tableaux expansion. Two ma- 
jor optimization strategies are embedded into the architecture of HAM-ALC 
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that deal with this complexity. The first technique is called semantic branch- 
ing^ the second one is dependency- directed backtracking. A third strategy tries to 
avoid the recomputation of identical or similar subtableau by using a so-called 
“model caching and merging technique” that possibly replaces the tableau satis- 
fiablity test by operating on cached models for concepts. We briefly review these 
techniques and explain their integration into HAM-ALC. 



Semantic Branching In contrast to syntactic branching, where redundant 
search spaces may be repeatedly explored, semantic branching uses a splitting 
rule which divides the original problem into two smaller disjoint subproblems 
(see [2] for a discussion). Semantic branching is usually supported by various 
techniques intended to speed up the search. 

A lookahead algorithm or constraint propagator is applied to reduce the order 
of magnitude of the open search space. Thus, after every tableau expansion step 
HAM-ALC propagates the truth value of the newly added constraint into all 
open disjuncts of all or-constraints with an unknown truth value. As a result 
of this step, or-constraints might be recognized as satisfied (i.e. one disjunct is 
satisfied), deterministic (i.e. exactly one disjunct remains open), or might even 
clash (all disjuncts are unsatisfied). 

Various heuristics are used to select the next or-constraint and one of its 
disjuncts for processing. HAM-ALC employs a dynamic selection scheme. The 
oldest-first nesting strategy is used for selecting one or-constraint with at least 
two open disjuncts. The selection of a disjunct from this or-constraint is achieved 
by counting the negated and non- negated occurrences for each open disjunct 
in all other open or-constraints. These numbers are used as input for a prior- 
ity function that selects the disjunct. The priority function is adopted from 
Fact and achieves the following goals. It prefers disjuncts that occur fre- 
quently in unexpanded binary constraints and balanced or-constraints (i.e. con- 
taining a similar number of negated and non-negated occurrences of the same 
disjunct) but discriminates between unbalanced or-constraints. In order to per- 
form individual- specific counting very quickly, HAM-ALC precomputes data 
structures for cross-referencing open or-constraints that contain this concept in 
negated and/or non-negated form. Once a disjunct is selected, the priority func- 
tion is also used to determine which branch of the search tree is tried first by 
the splitting rule. 



Dependency-directed Backtracking Naive backtracking algorithms often 
explore regions of the search space rediscovering the same contradictions repeat- 
edly. An integral part of the HAM-ALC architecture is a dependency man- 
agement system. It records the dependencies of every constraint, i.e. whenever 
a constraint is created, its precondition constraints are saved as a dependency 
set. This set is employed by the dependency- directed backtracking technique of 
HAM-ALC in order to reduce the search space. 

Whenever a clash occurs, the union of the dependency sets of the clash cul- 
prits (referred to as clash dependency set) is recorded and backtracking is started. 
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When a semantic branching point is encountered during backtracking, HAM- 
ALC checks whether this or-constraint is responsible for a clash culprit (i.e. is 
a member of the clash dependency set). If the or-constraint is not found, this 
branching point can be safely bypassed. In case the or-constraint is found, either 
the remaining semantic alternative is tried or this disjunct is considered as un- 
satisfiable in the current subtree. The backtracking continues but removes the 
current or-constraint from the clash dependency set and adds the saved clash 
dependency set of the first clashed alternative. This technique was first realized 
in the FaCT [4] system and is extended in the HAM-ALC architecture for 
dealing with different individuals. 

Model-based Satisfiability Tests The third major strategy tries to avoid 
the recomputation of identical or similar subtableaux (caused by a some- or 
an at-least constraint and the corresponding all- and at-most constraints) by 
using operations on cached “models” for concepts. The test whether a concept 
C subsumes a concept D is preceded or may be even replaced by a merging test 
for the models of -iC and D. This technique was first developed for the FaCT 
system for ACC. HAM-ALC extends this technique for ACCJ\flZ and refines it in 
several ways: (1) In contrast to FaCT it deals with deep models and introduces 
and exploits deterministic models. (2) Every satisfiability test of a subtableau is 
preceded by a model merging test working with either deep or flat models. (3) 
The concept subsumption test is devised as a two-level procedure first trying a 
novel structural subsumption test (see below) that is optionally followed by a 
regular tableaux satisfiability test. 

A model of a concept is computed by applying the standard satisfiability 
test. In case of a failure this incoherent concept is associated with the _L-model. 
Otherwise HAM-ALC constructs and caches a model from the final tableau. 
A model consists of a concept set containing every (negated) atomic, some-, 
at-least, all-, and at-most concept occurring in the final constraint set of the 
tableau. And- and or- concepts may be safely ignored due to their decomposition 
by the tableaux rules. A model is marked as deterministic if the constraint set 
contains no or-constraint and no at-most constraint that caused fork elimination. 

The standard flat model merging test (due to FaCT) for a set of models 
A4 = {Ml, . . . , Mn} works as follows. The concept sets of every pair (M^, Mj) 
(with Mi^ Mj G Ai and i^j^l<i^j<n) are mutually checked for a potential 
clash. If either a pair {Ci^Cj) (with Ci G Mi^ Cj G Mj) of clashing atomic 
concepts or of potentially interacting some- and all-concepts via a common role 
R is found, the test returns unmergahle. Otherwise it returns mergable. The flat 
model merging test is sound but not complete. Thus, it precedes every concept 
subsumption and subtableau satisfiability test and replaces it if the answer is 
mergable. HAM-ALC extends this technique for ACCMTZ in two ways. Its model 
merging test correctly deals with number restriction concepts and keeps track 
of deterministic models and becomes sound and complete if only deterministic 
models are involved. It realizes a deep model merging test that recursively checks 
the models of potentially interacting some- and all-concepts. HAM-ALC tries 
to maximize the use of deterministic models for concept subsumption tests. 
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Table 1. TANCS’99 selected reference problems of the modal pspace division. 



Problem 


Clauses 


Variables 


Depth 


Runtime (10ms) 


bounded CNF 


8 


4 


2 


0 




16 


4 


2 


2 




32 


4 


2 


6 


bounded CNF modK 


8 


4 


2 


2 




16 


4 


2 


5 




32 


4 


2 


14 


unbounded QBF 


8 


2 


3 


27 




16 


2 


3 


33 




32 


2 


3 


53 


unbounded QBF modK 


8 


2 


3 


24 




16 


2 


3 


36 




32 


2 


3 


61 



3 Implementation Larnguage and SpeciaJ Features 

HAM-ALC is implemented in Common Lisp and has been tested with Macin- 
tosh Common Lisp, Allegro Common Lisp (SunOS, Windows, Linux). HAM- 
ALC provides a Web-based interface [3]. 

4 First Results on a Performance Analysis 

For TANCS-99 we have tested HAM-ALC on the modal PSPACE division ref- 
erence problems (see Table 1). The runtimes (in 10ms) are computed based on 
the files provided by TANCS-99. For each parameter setting (see Table 1) the 
computation results of the 16 problem instances are averaged (geometric mean). 
We have run the system on a Sun Ultra Sparc 2 (300 MHz) with Allegro CL 5.0. 
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Architecture and Algorithm: KtSeqC is based upon the right sided labelled 
sequent system for tense logic Kt described in [BG98] which itself is based upon 
the work of [BP95,Mas94,HSZ96]. The work of Pitt [PC96] is closely related 
but Pitt uses the calculus KE incorporating an analytical cut-rule. We have also 
incorporated simplification as reported in [Mas98,HS98]. 

The system converts a given formula to implication-free negated normal form 
and performs some optimisations that handle the commutativity of the binary 
connectives. The search strategy picks a formula on the right hand side of the 
sequent and then applies the inference rule appropriate to the main connective 
of the formula. Since every inference rule in KtSeq is invertible the choice of the 
formula, from the right hand side of the sequent, does not affect completeness. 
This allows for various search strategies such as leaving formulae whose main 
connective is a conjunction until last. Special mechanisms for loop detection need 
to be added to handle transitive extensions of Kt and to handle global logical 
consequence. 

Implementation: KtSeqC is implemented in roughly 1800 fines of C (which 
we expect to halve by using C++ and inheritance), using the fiex and yacc li- 
braries for parsing purposes. Each time a subformula A (of the principal formula) 
is parsed, the program determines, using a hash table of pointers to previously 
parsed formulae, whether the sub formula has previously been parsed. If the 
subformula has previously been parsed, then the internal representation of the 
subformula (which can be located using the hash table) is returned to the next 
level of parsing. If the subformula had not previously been parsed, then an in- 
ternal representation is created for A and rm/(^A), with a “negation” pointer 
to connect them; both are then inserted into the hash table. This implements 
structure sharing. That is, if two different formulae A and B have a subformula 
C in common then the two occurrences of C are represented by the same location 
of the hash table. 

The hash value of a subformula is computed recursively - an ascii value is 
given to literals, while complex subformulae receive a hash value based on the 
main connective and the sum of the hash values of their children. The resultant 
commutativity of the hash function allows A V 5 to be recognised as equivalent 
to B\J A while parsing, but retains the difference between A\J B and A A B. No 
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attempt is made to handle the associativity of the boolean connectives. That is, 
the two formulae {A\J B) \J C and A\J {B \/ C) are parsed as different formulae. 

The method of parsing the formula has proved useful since it allows us to 
negate arbitrary subformulae and compare subformulae for syntactic identity in 
constant time. This means that when parsing a formula A, we obtain the nnf of 
every sub formula of A while increasing the parsing time for A by only a constant 
factor. Storage of sets of formulae is efficient since the formulae are represented 
as pointers. 

Special Features: KtSeqC is still a prototype and handles local logical con- 
sequence in the minimal tense logic Kt (including the minimal normal modal 
logic K). It is trivially extendible to the multimodal logic K(m) but the nec- 
essary extensions have not been included so far. The current system does not 
handle global logical consequence. A proof trace of the sequents in the deriva- 
tion can be obtained but it is not structured into an actual sequent tree proof. 
Printing the labelled literals associated with an open branch trivially gives a 
counter-model as required. 

An advantage of KtSeqC is that it requires only a C compiler equipped 
with the lex and yacc libraries, making it quite portable. It has been tested 
using SunOS 5.6 and Redhat Linux 5.1. 

Performance Analysis: We tested KtSeqC successfully on Heuerding’s bench- 
marks [Heu98] to test for soundness, these results are not shown, but are available 
on request. The following results are for the benchmarks of the current compari- 
son. Our results indicate that our prover is fast for satisfiable formulae but slow 
for valid formulae. We have not pinpointed the cause of this but suspect that our 
prover is simply being swamped by the large number of branches which must be 
closed when testing a valid formula. Clearly, further optimisations are required. 

KtSeqC can be found at: http : //arp.anu. edu.au/ ^rpg/KtSeqC .html 



Category 


Subsection 


Problem Number 


time (sec) 


result 


p-persat-cnf-K4 


8 


1-16 


> 100, 000 


? 


p-persat-cnf-K4 


16 


1-10 


> 100, 000 


? 


p-persat-cnf-K4 


16 


11 


1000 


not valid 


p-persat-cnf-K4 


16 


12-16 


> 100, 000 


? 


p-persat-cnf-K4 


32 


1-16 


> 100, 000 


? 


p-persat-cnf-K4 


32 


1-2 


> 100, 000 


? 


p-persat-cnf-K4 


32 


3 


1000 


not valid 


p-persat-cnf-K4 


32 


4 


> 100, 000 


? 


p-persat-cnf-K4 


32 


5 


2000 


not valid 


p-persat-cnf-K4 


32 


6 


> 100, 000 


? 


p-persat-cnf-K4 


32 


7 


2000 


not valid 


p-persat-cnf-K4 


32 


8-11 


> 100, 000 


? 


p-persat-cnf-K4 


32 


12 


2000 


not valid 


p-persat-cnf-K4 


32 


13-14 


> 100, 000 


? 


p-persat-cnf-K4 


32 


15-16 


1000 


not valid 
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Category 


Subsection 


Problem Number 


time (msec) 


result 


bound-cnf 


8 


1-6 


1000 


not valid 


bound-cnf 


8 


7 


2000 


not valid 


bound-cnf 


8 


8-16 


1000 


not valid 


bound-cnf 


16 


1-16 


1000 


not valid 


bound-cnf 


32 


1-5 


1000 


not valid 


bound-cnf 


32 


5 


> 100,000 


? 


bound-cnf 


32 


6-15 


1000 


not valid 


bound-cnf 


32 


16 


> 100,000 


? 


bound-modK 


8 


1-16 


1000 


not valid 


bound-modK 


16 


1 


2000 


not valid 


bound-modK 


16 


2-4 


1000 


not valid 


bound-modK 


16 


5 


2000 


not valid 


bound-modK 


16 


6-16 


1000 


not valid 


bound-modK 


32 


1 


> 100,000 


? 


bound-modK 


32 


2 


4000 


not valid 


bound-modK 


32 


3-4 


1000 


not valid 


bound-modK 


32 


5 


> 100,000 


? 


bound-modK 


32 


6 


1000 


not valid 


bound-modK 


32 


7 


6000 


not valid 


bound-modK 


32 


8 


1000 


not valid 


bound-modK 


32 


9 


3000 


not valid 


bound-modK 


32 


10-11 


> 100,000 


? 


bound-modK 


32 


12-15 


2000 


not valid 


bound-modK 


32 


16 


8000 


not valid 
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Abstract. The formal verification of security protocols is one of the 
successful applications of automated reasoning^. Techniques based on 
belief logics, model checking, and theorem proving have been successful 
in determining strengths and weaknesses of many protocols, some of 
which have been even fielded before being discovered badly wrong. 

This tutorial presents the problems to the “security illiterate” , explaining 
aims, objectives and tools of this application of automated reasoning. 



1 Scientific Contents 

The tutorial will run through three modules, and a fourth one, if time allows. 

At first, there is an introduction to security protocols. This module sets the 
terminology, the basic things we need to know about security and cryptography 
[1,7,12], and introduce the running examples for the rest of the tutorial: two 
simple protocols for challenge- response of the ISO standard [8] with few hints 
to either the well-known Needham- Schroeder public- key protocol [13,9] or the 
mechanized version of the Kerberos protocol [2]. 

The second module focuses on the BAN Logics and the goals of security 
protocols. It explains few of the main properties that a security protocol should 
provide, such as secrecy, integrity, freshness, authentication, proof of identity, 
non repudiation [5,7,15]. We use the original simple and intuitive BAN logic by 
Burrows, Abadi and Needham [5], and just point to more sophisticated logics 
[10,15]. Then, we can see some properties, with tableau-like proofs as in [10], 
which characterize the protocols we have seen in the first part. 

We do not deal with automatic proof systems for belief logics (e.g. [4]) because 
their main feature is indeed being an high level formalism for proofs by hand 
(and, as such, also a bit semantically inaccurate [10,15]). 

The third module focuses on first order logic (with induction) and theorem 
proving^ going to the (interactive) theorem proving realm. The theory becomes 
complex (we need at least first order logic with sets or variants thereof) and the 
mechanization of the reasoning becomes imperative. The module presents the 
main ideas behind this approach: model the execution of a security protocol as a 
trace of atomic actions and then use first order logic [3], or eventually first order 

^ Indeed, the proposal to use tableaux for security verification dates back to 1983 [11]. 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 32-34, 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 



Automated Reasoning and the Verification of Security Protocols 



33 



logic with induction [14,2], to prove properties about traces. The formalizations 
we present are those by Bolignano [3] and Paulson [14,2], for which we give few 
examples in the modeling of the properties of messages (asymmetric encryption, 
hashing etc.), the simple challenge-response protocols we have seen, and the 
actions of a potential attacker. 

Some desirable security properties, that we might like to prove with a theorem 
prover, will be shown and discussed. We will see how the properties we have 
sketched in the module on the BAN logic can be recaptured in this framework. 

Last but not least, the main ideas behind process algebras and model checking 
approaches^ such as those using CSP [9] or CCS [6], will be sketched. The last 
module shows how model checkers [9], together with state exploration tools [12], 
can be used to find attacks to security protocols, a nice complement to the 
theorem proving work. 



References 

1. R. Anderson and R. Needham. Programming Satan’s computer. In Computer 
Science Today^ LNCS 1000, pp. 426-440. Springer- Verlag, 1996. 32 

2. G. Bella and L. Paulson. Kerberos version IV: inductive analysis of the secrecy 
goals. In Proc. of ESORICS-98, LNCS 1485. Springer- Verlag, 1998. 32, 33, 33 

3. D. Bolignano. An approach to the formal verification of cryptographic protocols. 
In Proc. of the 3th ACM Conf. on Comm, and Comp. Security, pp. 106-118, 1996. 
32, 33 

4. S. Brackin. A HOL extension of GNY for automatically cryptographic protocols. 
In Proc. of the 9th IEEE Comp. Sec. Eound. Workshop. IEEE Press, 1996. 32 

5. M. Burrows, M. Abadi, and R. Needham. A logic for authentication. ACM TOCS, 
8(l):18-36, 1990. 32, 32 

6. R. Eocardi and R. Gorrieri. The compositional security checker: A tool for the 
verification of information flow security properties. IEEE TOSE, 23(9): 550-571, 
1997. 33 

7. D. Gollmann. What do we mean by entity authentication. In Proc. of the 15th 
IEEE Symp. on Sec. and Privacy, pp. 46-54. IEEE Press, 1996. 32, 32 

8. International Organization for Standardization. ISO/IEC Draft Int. Std. 10181- 
2.2 IT - Open System Interconnection - Security Eramework for Open Systems: 
Authentication Eramework, 1993. Section 8.1.5. 32 

9. G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using 
CSP and EDR. In Proc. of TACAS, LNCS 1055, pp. 147-166. Springer- Verlag, 
1996. 32, 33, 33 

10. W. Mao and C. Boyd. Towards formal analysis of security protocols. In Proc. of 
the 6th IEEE Comp. Sec. Eoundations Workshop, pp. 147-158. IEEE Press, 1993. 
32, 32, 32 

11. B. Marick. The VERUS design verification system. In Proc. of the 2nd IEEE Symp. 
on Sec. and Privacy, pp. 150-157. IEEE Press, 1983. 32 

12. C. Meadows. Formal verification of cryptographic protocols: A survey. In Proc. of 
ASIACRYPT-94, LNCS 917, pp. 133-150. Springer- Verlag, 1995. 32, 33 

13. R. Needham and M. Schroeder. Using encryption for authentication in large net- 
works of computers. CACM, 21(12): 993-999, 1978. 32 



34 



Fabio Massacci 



14. L. Paulson. The inductive approach to verifying cryptographic protocols. J. of 
Computer Security, 1998. 33, 33 

15. P. Sy verson, and P. van Oorschot. On Unifying Some Cryptographic Protocols 
Logics. In Proc. of the 13th IEEE Symp. on Sec. and Privacy. IEEE Press, 1994. 
32, 32, 32 



Proof Confluent Tableau Calculi 



Reiner Hahnle and Bernhard Beckert 

Dept, of Computer Science, University of Karlsruhe 
76128 Karlsruhe, Germany, 

{re iner , beckert }@ira . uka . de 



1 Introduction 

A tableau calculus is proof confluent if every partial tableau proof for an unsat- 
isflable formula can be extended to a closed tableau. A rule application may be 
redundant but it can never prevent the construction of a proof; there are no “dead 
ends” in the proof search. Proof confluence is a prerequisite of (a) backtracking- 
free proof search and (b) the generation of counter examples to non-theorems. 

In this tutorial we discuss the role and perspectives of proof confluent cal- 
culi in tableau-based theorem proving. For the sake of simplicity the discussion 
focuses on clause tableaux. 

2 Tableaux with Selection Function 

Among the more effective resolution refinements are those based on selection 
functions such as hyperresolution and semantic resolution. A number of calculi 
related to these concepts were also introduced into the world of semantic tableaux 
in form of various proof confluent refinements. 

The emphasis so far were tableau calculi corresponding to positive hyper- 
resolution and binary resolution with selection function. In this tutorial, more 
general calculi based on arbitrary selection functions with hyper extension steps 
are discussed. For those selection functions that correspond to Herbrand inter- 
pretations one obtains a semantic tableau analogue of semantic resolution. All 
introduced calculi are based on a simple, generic saturation principle leading to 
brief and schematic completeness proofs. 

It is shown that just as model generation theorem proving (MG TP) is an 
instance of hyper tableaux, constraint MGTP turns out to be an instance of 
hyper tableaux with selection function. This gives a formal justification why 
constraint MGTP is a complete procedure for many applications such as quasi- 
group problems. 

3 Proof Confluence and Strong Completeness 

For practical purposes, a completeness theorem merely stating the existence of 
a tableau proof is not sufficient. A stronger result is needed giving the guarantee 
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that a concrete tableau proof search procedure will find a closed tableau if there 
exists one. Let us call this (as usual) the strong completeness problem. 

This problem can easily be solved if the calculus is non- destructive^ i.e., if all 
tableaux that can be constructed from a given tableau contain that tableau as 
an initial subtree. In that case, one can simply arrange input clauses in a queue 
(on each branch) and thus ensure that enough instances of each clause are used 
on each branch to obtain a proof. Examples of non- destructive tableau calculi 
are Smullyan tableaux and Fitting’s delayed instantiation rule. 

Unfortunately, the standard version of clause tableaux is a destructive cal- 
culus. The culprit is the closure rule, which allows to instantiate free variables. 

The standard solution for proof search in all destructive calculi is depth-first 
iterative deepening search, it was pioneered by Stickel, and is used, for example, 
in the provers Setheo, aZ^, and KoMeT. One enumerates all tableaux up to a 
fixed size via backtracking over possible closure rule applications. Completeness 
is achieved by iterative increase of the bound on tableau size. 

But how, besides backtracking, can be dealt with the strong completeness 
problem in case the calculus is destructive but proof confluent? A strongly com- 
plete procedure performing a depth-first proof search has several advantages. 
The information represented by the constructed tableaux increases at each proof 
step; no information is lost since there is no backtracking. In addition, consid- 
ering similar tableaux or sequences of tableaux in different paths of the search 
tree is avoided. 

The problem of constructing a strongly complete proof procedure without 
backtracking is discussed in the last part of the tutorial. A possible solution is 
presented that is based on a notion of regularity to make sure that there are 
no “cycles” in the search (it is not possible to deduce the same literals, clauses, 
or sub-tableau again and again). In addition, each literal is assigned a “weight” 
in such a way that there are only finitely many different literals (up to variable 
renaming) of a certain weight; thus, since literals with lesser weight are deduced 
first, sooner or later each possible conclusion is added to all branches containing 
its premiss, i.e., the strategy is fair. To handle the destructiveness of clause 
tableaux, the strategy employs reconstruction steps. Immediately after a rule 
application that instantiates free variables, the expansion steps that are needed 
to recreate the destroyed part of the tableau are executed. 



Further Information 

There is a Web page for this tutorial, where slides, references, and related papers 
are available; the URL is il2www.ira.uka.de/tab99-tutorial. 
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Abstract. The class of projective propositional logics is defined by a 
certain format of the definition of truth functions for their connectives 
with respect to a semantic theory. All finite valued logics, but also infinite 
valued Godel logic are shown to be projective. Analytic Gentzen type 
calculi are uniformly derived for all projective logics. Admissibility of 
cut rules and other structural rules is investigated. The special case of 
Godel logics is exemplified in detail and compared with the previous 
approach of Avron (based on hypersequents) . 



1 Introduction 

The construction of an analytic calculus is a key to a profound understanding of 
the relation between the syntax and semantics of a logic. In particular, it is the 
basis for the amenability of feasible proof search. However, typical application 
scenarios hardly allow to single out in advance a particular logic as the most 
adequate basis for formal reasoning. We are rather urged to investigate broad 
families of logics, and - if possible - provide uniform calculi that facilitate the 
switch from one logic to another and deepen the understanding of the relations 
between them. 

A good example of successful research along this line is the development of 
uniform, proof search oriented calculi for the family of all finite valued logics 
(see, e.g., [12], [6]). Here we present a uniform approach to Gentzen systems for 
an even broader class of propositional logics. We define the class of projective 
logics^ characterized by the form of the truth functions for its connectives and 
show how to translate a given specification of such a logic into a new type 
of analytic sequent calculus in a systematic, even mechanizable way. We also 
investigate, already at this general level, admissible forms of cut rules and other 
types of rules that may help to speed up proof search. 

The most important example of projective logics are - finite as well as infi- 
nite valued - Godel logics [5]. (In contrast, infinite valued Lukasiewicz logic and 
Product logic are not projective.) The significance of Godel logics for reason- 
ing in fuzzy contexts and other applications is well documented e.g., in [3,2]. 
Since our framework covers all Godel logics it provides insights into the relation 
between these logics beyond the horizon of previous approaches. An important 
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and widely known alternative to our analytic calculus for infinite-valued Godel 
logic is Avron’s liypersequent system GLC [11,13]. We provide an analysis of 
the connection between Avron’s calculus and ours. 

The significance of this work for Automated Reasoning appears at two levels: 

1. We provide a framework that - in principle - allows the automated gen- 
eration of cut-free calculi for a class of logics from given specifications of 
their semantics. This is very much in the spirit of dogic engineering’ as, e.g., 
propagated successfully by H.J. Ohlbach for modal logics (see, e.g., [10]). A 
system for automated reasoning of this type - for finite valued first-order 
logics - is Multlog [14]. Indeed, one can view this paper as a first step 
towards a sophisticated extension of Multlog. 

2. It turns out that tableau style proof search algorithms based on our derived 
calculi seem to be computationally more adequate than other methods that 
have been proposed for particular projective logics. In particular, the central 
rule (‘communication rule’) of Avron’s above-mentioned hypersequent GLC 
for infinite valued Godel logic poses a serious problem for efficient proof 
search. In our calculus this critical rule is not needed. We instead build on 
an extended syntax and additional axioms (i.e., tableau closure rules). ^ 

2 Projective logics 

The syntax of the propositional logics considered here is completely general. 
Thus, an (object) language for a logic consists of an infinite supply of propositional 
variables^ a finite set of connectives (with fixed arity), and a finite number of 
truth constants, (Truth constants will also be considered as 0-ary connectives.) 
The formul(B of such a language are build up from its variables, constants, and 
connectives as usual. 

The logics under investigation are characterized by a special format of the 
definitions of their semantics. Again, we take a very general approach. To specify 
a semantics we refer to some (classical, first order) theory T - called semantic 
theory - whose intended range of discourse is the set of truth values. T can, 
e.g., be the theory of linear orders or lattices or any other class of relational 
structures. It can also be the (first order) specification of single structure. The 
only requirements we put on T are as follows: 

(F) T is based on a function free language with finite signature. I.e., the atomic 
formulae are of form i?(ti, . . . , t^)? where the ti are variables or constants. 
(D) The set of iii -formulae that are valid in T is decidable. 

We use the notation “Ad |= A[(j]” to denote that the formula A is satisfied 
in a model Ad (of T) under the assignment a of elements of the domain of Ad 
to the free variables of A, The domain of Ad is called set of truth values. By 

^ A quite different approach to efficient theorem proving for infinite valued Godel logic 
consists in translating formulae to strict linear equalities over reals as R. Hahnle has 
pointed out. 
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“T 1= A” we mean that A is valid in T, i.e. A[a] is satisfied in all models of T 
for all assignments a. 

Constants of T denote truth values and are identified with truth constants 
of the object language* 

Quantifier and negation free formulae of T, i.e., formulae built up from atomic 
formulae using conjunction and disjunction only, will play a special role. Let us 
call such formulae simple. 

We call an n-ary connective □ projective if its truth function □ (i.e., the 
definition of its semantics with respect to T) can be written in the following 
form: 



S(xi,...,Xn) 



< : 

^ tm 



if Ai 
if Am 



where each ti is either a truth constant or in {xi, . . . , x^}. The conditions Ai 
are simple formulae of the underlying semantic theory T whose free variables are 
among {xi, . . . , x^}. Since □ is a total function they have to satisfy the following 
properties: 



Totality: T |= Va;i ■ ■ ■ Va;„ Vi<i<TO 

Functionality: For all models Ai of T: Ai |= Ai[a] and Ai |= Aj[a] implies 

that cr[ti) = cr{tj). 

To specify a logic we also need a notion of designated truth values or, shorter, 
designating predicate. Any simple formula Des{x) of T with exactly one free 
variable x may be chosen for this purpose. 

An interpretation X (of any propositional many-valued logic) is a mapping 
from the set of propositional variables W into the set of truth values V . Given 
projective truth functions for all connectives of the language, an interpretation X 
extends to an evaluation function valx^ that maps all formulae into truth values, 
as follows: 

valx{F) = X{F) if F eVV 
valx{^{Fi, . . . , Fn)) = □(m/x(Ti), . . . , valx{Fn)) 

Observe that the semantics depends on an interpretation of the conditions Ai 
of the truth functions. These Ai are formulae of the semantic theory T. Therefore 
any model Ad of T determines a logic the projective logic of Ai (with respect 
to given projective truth functions for all connectives of the language). We call a 
formula T valid in Cm T for all interpretations X: Ai \= Des[valx{F) /x]. (That 
is: if for all interpretations the assignment of the value of F to the only free 
variable of the designating predicate is satisfied in Ad.) Cm is identified with 
the set of formulae that are valid in it. 

There is another useful interpretation of this semantic machinery under which 
the semantic theory itself determines a logic. Namely, instead of evaluating the 
conditions Ai in a particular model of T, we may check whether the relevant 
instances A'- of Ai and Des' of Des are satisfied in all models of T. This way we 
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don’t have to fix the set of truth values in speaking of the projective logic Ct 
associated with T and some projective connectives (possibly including truth 
constants). This allows us to speak, e.g., of the projective logic of, say, partial 
orders (with respect to a fixed set of projective connectives). Formally, 

Ct = {F I M 1= Des[valx{F)/x] for all X and M of T} 

Example 1. To see that every finite valued propositional logic is projective we 
only have to consider monadic semantic theories. 

Let the language of T contain a monadic predicate symbol Ci for each truth 
value Ci. In addition, assume that we have a constant for each truth value. Then 
any entry 




in the truth table for the n-ary connective □ translates into the part 
□ (a;i, ...,Xn) = Cj if Ci^{xi) A . . .ACi„{xn) 

of the definition of the truth function as above. 

Alternatively, we can base the semantics on a theory containing only the 
equality predicate and all truth constants: just replace Ci{t) by Ci = t. 

As we shall see below, even in the case of finite valued logics, it may be 
advantageous to choose a more expressive semantic theory to define the truth 
functions for its connectives. 

2.1 Godel logics 

Our main example of projective logics is the family of Godel logics. To formulate 
their semantics, we assume the set of truth values to be linearly ordered and 
equipped with a minimal element 0 and a maximal element 1 (distinct from 0). 
A standard axiomatization of the corresponding semantic theory is given by: 

Vx : ^{x < x) (Irrefi<) Vx:x = 0V0<x (Min<) 

MxMyMz : [x < y /\y < z) Z) X < z (Trans<) Vx:x=lVx<l (Max<) 
\/x\/y :x = yVx<y\/y<x (Linear <) 0 < 1 (Distinct) 

Although one could derive a “sequent calculus of relations” (see Section 3) di- 
rectly from this theory we prefer an alternative formulation of it. We do not want 
to have to consider “=” as a basic relation, but rather base T on the relation 
symbols “<” and “<” by adding the following to the axioms Irrefi<, Trans<, 
and Distinct: 

\/x : X < X (Refi<) Vx : 0 < x (Min<) 

Mx'iyMz : [x <y f\y < z) Z) X < z (Trans<) Vx : x < 1 (Max<) 

VxVi/ : X <y\f y < X (Linear<) VxVi/ : x < y W y < x (Connect) 

We can now state the truth functions for disjunction (V - maximum), con- 
junction (a - minimum), implication (d), and negation (^) in such a way that 
it gets clear that these connectives are projective with respect to T. 
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V{x,y) 



X if 1/ < X, 

y \i X <y 



A{x,y) 



X if X < y, 

y if y < X 



^{x,y) = 




if a; < y, 
if y < X 



f 1 if X < 0, 

I 0 if 0 < X 



Negation can be treated as derived connective by defining := A Z) 

“1” is intended to be the only designated truth value. Therefore we take 
“1 < x” as designating predicate. 

Infinite valued Godel logic Goo^ is the logic of infinite models of T. Infinity 
of the domain of a model of T is enforced by adding the density axiom 



\/x\/y 3 z : X < y D (x < z A z < y) (Dense) 

However, Goo is not only the logic^ of the theory axiomatized by T + (Dense) 
or the logic jCm for any infinite model of T, but also the logic jCt itself. 

If we restrict attention to finite models of T we obtain the family of finite 
valued Godel logics G^^,. Let, e.g., Ai be the (up to isomorphism) unique model 
of T with 5 elements, then jCm is the 5 -valued Godel logic G5. Instead of focusing 
on particular models Ai one may equivalently augment T to become the unique 
(first order) theory of AI. If we add the following axiom to T: 

3 xi * * * 3 xrAy : y = xiW . . .W y = Xn (FinitOn) 
where x = y abbreviates {x < y Ay < x)^ then jCt becomes G^^,. 



2.2 A relation between finite and infinite valued logics 

It is well known that Goo is the intersection of all finite valued Godel logics. The 
concept of projective connectives allows us to grasp the connection between logics 
corresponding to finite and arbitrary models of a semantic theory, respectively, 
at a more general level. 

Proposition 1. Let T be a universal theory (i.e., axiomatized by Ili-formul(^ 
only) and F be any formula of a projective logic over T. // a formula F is valid 
in Cm for all finite models Ai of T then F is valid in Cm for all models Ai 
ofT. More concisely: 

Pi 

M finite 

^ Sometimes also called LC or Dummet logic, since Dummet presented its first ax- 
iomatization [7]. 

^ There is only one infinite valued propositional Godel logic. On the first order level 
different topologies on the set of truth values induce different logics. 
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Proof. Let A4 be an arbitrary model of T such that A4 ^ Des[valx{F)/x] for 
some interpretation I. Since the connectives of F are projective its evaluation 
only depends on the elements of A4 assigned by X to the propositional variables 
of F and the constants of T. That is: we can filtrate A4 into a model Ad' 
with domain {X[p) \ p occurs in F} U {c | c is the value of some constant of T}. 
Therefore, if F is valid in all finite models it must be valid in arbitrary models, 
i.e. in Tt* 

Observe that the proof provides a bound for the size of models (i.e. number 
of truth values) that we have to consider if we want to check whether a formula 
is valid in £t* In the case of Goo we obtain: F G G|i ?|+2 implies F G Goo where 
|T| is the number of (distinct) propositional variables occurring in F. 

3 Sequent calculi of relations 

There are quite different ways to interpret Gentzen’s classical sequent calcu- 
lus LK [9]. These lead to different types of generalizations of Gentzen’s calculus. 
One - very useful - interpretation of a sequent 

F±, ... ,Fn ^ Gi , . . . , Gm 

is to understand it as expressing the assertion that either one of the Fi (1 < i < 
n) is false or one of the Gj (1 < j < m) is true. In this view a classical sequent 
can be identified with a sequence 

False{Fi ), . . . , False(Fn),True{Gi )^ . . . , True{Gm) 

of (monadic) atomic formulae referring to the usual semantic theory. It is well 
known how this leads to the formulation of sequent calculi for all finite valued 
logics (see, e.g., [4,8,15]). 

However, one may prefer to think of the sequent arrow in 

F ^G 

as associated with the binary semantic predicate “T implies G”. In the context 
of a many valued logic with an ordered set of truth value this can, e.g., be 
understood as 

valx{F) < valx{G) 

for all interpretations X. 

The concept of “hypersequents” (as investigated extensively by A. Avron 
in, e.g., [11,13]) extends the range of logics for which analytic Gentzen style 
systems can be given. Hypersquents are sequences of sequents understood as 
disjunctively connected (at the external level). If external contraction and ex- 
ternal weakening are present and if a “splitting rule” (which is an instance of 
Avron’s communication rule) is admissible, then the hypersequent 



Fl,. . .,Fn 



G I ... 
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is equivalent to the hypersequent 

...\Fi-^G\ ...\Fr,^G\ ... 

This hypersequent can again be viewed as a sequence of (binary) atomic for- 
mulae referring to a semantic theory. (For this one needs truth constants that 
correspond to an empty left or right hand sight of the sequents.) 

The connection to the semantic framework described in Section 2 is mani- 
fested in the following definition: 

Let Ri, . . . , Rn be the predicate symbols of a semantic theory T, then a 
sequent of relations is a finite sequence of form 

r,,{fI,...,f^j\...\r,,{f^,...,fX) 

where for all 1 < j < k: ij G {1, . . .,n}, ri is the arity of Ri^ and all Fj are 
formulae of a logic. (Strictly speaking, the relational symbols Rj just correspond 
to symbols of the language of T, since the terms of T are not formulae but 
variables and constants for truth values.) 

We are now going to define the sequent calculus of relations R£t for a pro- 
jective logic jCt defined with respect to a semantic theory T. 

Axiom sequents 

Let T ^ ^here the Bj are atomic formulae and x are the free 

variables in Vi<j<n ^ substitution of formulae for the variables x. 

Then 

is an axiom of RTt 

Remarks. (1) Since T decides all iii -formulae the set of axioms is recursive. 
(2) Instead of taking all valid disjunctions of atomic formulae to define axioms 
one may just consider minimal valid disjunctions. I.e., one reduces the set of 
axioms modulo the (provability) equivalence relation induced by the structural 
rules described below. 

Structural rules 

As already mentioned above, the structural rules for relational sequents should 
capture the intended interpretation of as disjunction. Thus we have the 
following rules in RTt* 

n I A I B\U' qj A I A I n 

I ^ I ^ I permutation ^ ^ ^ weakening ^ ^ ^ contraction 

where A, B are arbitrary atomic relations on formulae and R' are arbitrary 
(possible empty) side sequents. 

Remark. The intended interpretation of sequents is that of disjunctions of 
atomic relations between formulae. Permutation and contraction reflect the com- 
mutativity and idempotency of (classical) disjunction, respectively. Weakening, 
of course, corresponds to ^^R implies [A or Rf\ 
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Logical rules 

Let □ be an n-ary projective connective with the following truth function: 



3(xi,...,Xn) 



< : 



if Ai{xi, . . Xn) 
if • • • 5 ^n) 



For each predicate symbol R of arity r and each position p, where 1 < p < r, we 
obtain a rule (□: R:p) for introducing □ at position p into an i?-component of a 
relational sequent. For this one considers the formula 



^D:R:p — A^ {x \ , • • • , Xt^,) A R{z\ :••••) ■^p} 

l<i<m 



Take any conjunction of disjunctions of atomic formulae Ai<j<s Vi<A:<it 
that is equivalent in T to an-.R-.p^ Then we have the rule 

^1,1^ I ... I \n ... Bs,iO I ... I Bs,u.o I n 

R{zi,...,Zr}{D{xi,...,Xn)/Zp}d I'M ' 

where d is a substitution of formulae for the variables {xi, . . . , Xn}U{zi, . . . , Zr}~ 
{zp}^ and is the side sequent of the rule. 

Remarks. (1) We make use of the fact that the conditions Ai are simple, 
i.e. negation and quantifier free. (2) In general there are many conjunctive 
normal forms that are equivalent to an-.R-.p^ To obtain compact rules it is often 
essential to apply simplifications justified by T-valid formulae. (3) The an-.R-.p 
are iJi-formulae of T. Since T decides all iJi-formulae, the transformation of the 
specification of a truth function into a logical rule for relational sequents can - 
in principle - be automatized. 

Example 2. Continuing Example 1 we arrive at a sequent calculus of (monadic) 
relations for each finite valued logic if we follow the above definitions. In fact, 
because of the presence of the standard structural rules, these calculi are just 
notational variants of the many-placed sequent calculi or signed calculi as de- 
scribed, e.g., in [4,15]. (The special case of classical logic - LK [9] - was already 
sketched at the beginning of the section.) We can even get rid of the truth con- 
stants in the formulation of the calculi. The reason for this is that, obviously, 
any atomic formula of T that contains a constant can only be of form C^Cj), 
and thus is either simply true or false. For the axioms and rules this means 
that formulas C^Cj) where i ^ j are deleted from the sequents, and sequents 
containing Ci{cj) where i = j are discarded, altogether. 



3.1 Correctness, completeness, decidability 

A sequent (of relations) S is called provable in RTt if there is an upward tree 
of sequents rooted in 5, such that every leaf (topmost sequent) is an axiom and 
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ever other sequent is obtained from the ones standing immediately above it by 
application of one of the rules of R£t- 
For any sequent 

S = I • • • I Rn{Fn,l, •••, Fn,rr^) 

let 

l<i<n 

be the T- formula corresponding to 5, where ti^j is identical to Rid if Fij is a 
truth constant^ and is a new variable Xij otherwise (xij = Xk,i iff Fi,j = Fk,e)- 
Since the designating predicate Des is a simple formula it is equivalent to 
a formula Des' of form Ai<i<pVi<j<g ^i,j wfi^re the Aij are atomic formulae 
with at most one free variable x. By 



Vk{x/F},...,Vp{x/F} 



we denote the sequence of sequents that correspond to the conjuncts of Des' if 
X is replaced by the formula F, 

For the following statements let T be any semantic theory and £t be the 
logic determined by T, an object language, projective truth functions for this 
language and a designating predicate Des. R£t is the corresponding sequent 
calculus of relations as defined above* 

Theorem 1 (Correctness). If all sequents Vi{x/F }^ . . Vp{x/F} are prov- 
able in R£t then F is valid in Ct- 

Proof We show by induction on the length of proofs that for all models A4 of 
T and all interpretations X: A4 |= Ps[<yx] if S is provable, where ax assigns 
valx(Fij) to the corresponding variable Xij. From this the theorem follows by 
the definition of Vi{x/F }, . . ., Vp{x/F} and the fact that F is valid if for all 
M and X: M |= Des[valx{F)/x]. 

For axioms the claim immediately follows from their definition. 

For applications of structural rules with premiss S and conclusion S' we 
have f3s implies f3s by the fact that the T-formulae corresponding to sequents 
are classical disjunctions. 

For the application of a logical rule (□: R:p) it suffices to observe that, by 
definition, for any a: A4 |= implies that A4 |= P(zi, . . ., z^)[a'], where 

a' is as a except for assigning □(a(xi), . . . , a(xn)) to the only variable Zp that 
does not already occur in ao-.R-.p^ 



Theorem 2 (Completeness). If F is valid in Ct then all sequents Vi{x/F}, 
. . . ^Vp{x/ F} are provable. 

^ Remember that we identify the constants of T with truth constants of the object 
language. 
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Proof. (Sketch) We employ Schiitte’s method of reduction trees [1]. That is, we 
construct a reduction tree RT for every sequent S such that either a proof of S 
or a model in which f3s is not valid can be extracted from RT. 

The construction of the upward tree of sequents RT for the sequent S is in 
stages as follows: 

Stage 0: Write S at the root of RT. 

Stage k: If the topmost sequent S' of a branch contains only propositional vari- 
ables (as arguments of its relations) then stop the reduction for this branch. 
Otherwise S' contains a relation R{Fi, . . . , F^) where Fp = □(Gi, . . . , Gn) 
for some 1 < p < r. If the indicated occurrence of □(Gi,...,Gn) is not 
the result of a reduction at this stage and has not yet been reduced on this 
branch then replace S' by 

Bi^iO\...\Bi^t^O\S' ... Bs,iO\...\Bs,tJ\S' 

S' 



where the Bij are as in the definition of rule (□:!?: p) and 0 is given by 

R(^zi^ . . . , Z7-){n (xi , . . . , Xffj I Zp^O = i?(Ti, . . . , iT). 

Since every occurrence of a formula is only reduced once in a branch the con- 
struction of RT stops after finitely many steps. 

We say that a sequent S' contains an axiom if it can be derived from an axiom 
using structural rules only. If each leaf of RT contains an axiom of RGt then a 
proof of S is easily constructed from RT by inserting weakenings, permutations, 
and contractions. 

Otherwise there is a leaf sequent IZ that does not contain an axiom. Let (3'jz 
be the T-formula corresponding to IZ (by replacing the propositional variables 
fi occurring in 7Z by variables Xi of the language of T). By definition of the set 
of axioms, there is a model Ad of T and an assignment a such that Ai ^ 

The assignment a of truth values to the Xi induces an interpretation X of the 
corresponding propositional variables fi. By going down the branch from 7Z to 
the root S one can augment X to an interpretation of all propositional variables 
occurring in S such that Ai ^ (3s[valx{Hi)/xi, . . . , valx{Hk)/xk]^ where the Hi 
are the formulae in S. (For this one, of course, has to check the corresponding 
truth functions as interpreted in Ad.) 

F is valid in Ct iff for all Ai and X, Ai \= \/x Des[valx{F) /x]. Since T ^ 
\/xDes ^ /\i<i<p'^i ff follows that all leaves of a reduction tree RTi for a 
sequent Vi{x/F} contain axioms. Therefore all sequents Vi{x/F}, . . . , Vp{x/F} 
are provable in RTt if T is valid. 

Since the construction of the reduction trees is effective we obtain: 
Corollary 1. All projective logics Ct cl^c decidable. 

Remark. The construction of the reduction tree can be seen as the search 
for a proof in tableau format. Here, the atomic elements of the tableau are not 
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just formulae but (atomic) relations between formulae. The reduction of com- 
pound formulae corresponds to the introduction rules of the sequent calculus. 
The tableau closure rules correspond to the axioms. The close relationship be- 
tween reduction trees (i.e., tableaux) and sequent proofs relies on the fact that, 
like in classical logic, we can view sequents as sets (i.e., modulo permutation and 
construction) and can move all weakenings up to the axioms. 

3.2 Derivation of calculi for Godel logics 

We already saw in Section 2 that all Godel logics are projective. As an illustration 
of the proof theoretic framework of the last section we derive a calculus RGoo of 
relational sequents for infinite valued Godel logic Goo by considering the semantic 
theory T described in Section 2.1. 

Axioms of RGoo ^re all sequents that contain a sequent 



Ai d A2 I A2 < A3 I ... I Ak < A± 



for /c > 1, where <| is to be replaced either by < or by <, but at least one 
occurrence of < stands for <. 

In addition, all sequents that are obtained from the above ones by deleting 
relations of form 

A < 0, 1 < A, or 1 < 0 



are axioms. 

Proposition 2. All valid closed disjunctions of atomic formulae inT correspond 
to one of the above axioms modulo applications of structural rules. 

We derive the logical rules of RGoo cis described in Section 3 above by ma- 
nipulating the rule-defining formulae in T. Here R G {<,<}; P e {l,r} 

for the left and right argument position of the binary relations, respectively, and 
□ G {g,A,V}. (As already remarked, ^ can treated as defined connective.) 

= (x<yAz<l)\/{y<xAz<y) 

{x <y\J y < x) A {x <yy z < y)A 
[z <l\f y < x) A [z <l\f z <y) 

[x <y\f z <y) A{z < 1 ) 

The rule for introducing implication at the right argument place of in a 
relational sequent can therefore be stated as: 

A<B\c <B\n c <i\n ^ 

^ ^ ^ — (D:<:r) 

c < {A DB)\n W ^ ; 



Similarly we have in T 

«(D:cO = {x<yAKz)\/{y<xAy<z) 
y < X A y < z 
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Thus a rule for introducing implication at the left argument place of is: 

B<A\n B<c\n ^ 

{A^B)<C\H ^ 

For implication at the right hand side of the <-relations we obtain: 

= [x<y/\z<l)\/{y<x/\z<y) 

{x<y\/y<x)/\{x<y\/z<y) 

X <y\J z <y 

This induces the rule 



A<B\C <B\U , 

^ ^ fD:<:r) 

C <{AZ)B)\U ^ ^ 



A compact rule for introducing implication at the left hand side of the <-relations 
is obtained by the following derivation in T: 

^(D:<:Z) = (a <y M<z)\J {y <x Ky <z) 

{x <y\! y < x) t\ {x <y\! y < z)t\ 

(1 < z\J y < x) !\(\ < z\J y < z) 

(1 < z\J y < x) t\{\j < z) 

This induces the rule 

\<C\B <A\U B<C\U^^ 

{Az:> B) <C\U 

Observe that this is the only <-rule exhibiting in the premisses. (This is of 
importance for the connection to Avron’s GLC] see Section 3.4 below.) 

Computing the rules for disjunction and conjunction is easy. They take the 
same form for both relations. We therefore let < stand for either < or < (uni- 
formly in each rule): 

C<A\n C<B\H^ , A<C\B<C\n ^ 

C < {A A B)\n {AAB)aC\n 



C <A\C <B in 
C a {A VB)\n 



(V: <1: r) 



A-aCln B<\C\H ^ 
{Ay B)<\C\H 



To obtain a calculus RG^^, for n-valued Godel logic G^^, one only has to add 
the axiom 

Ai < A2 I A2 < As I . . . I An < An+l 
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3.3 Extended structural rules 



So far we only considered (analytic) rules for introducing connectives and tra- 
ditional forms of structural rules. Let us now investigate which types of cut 
rules or more general forms of structural rules (that possibly allow to exchange 
formulae from different relations in sequents) are admissible in our calculi. Al- 
though we know - by completeness - that such rules are not needed for proof 
search, one should keep in mind that vast speedups (at least with respect to 
proof length) can be gained by applying such rules. (This is already well known 
for the “simplest” case of a projective logic, namely classical logic.) 

We call a rule extended structural rule if it is of the form: 

n I FiO ... n I FnO 
n I re 

where i i, . . . , i i' are sequences of atomic formulae of T (separated by “|”), 0 
is a substitution of variables by formulae and H a side sequent. 

Remark. Because of the presence of weakening, contraction and permutation 
there is no loss of generality in considering only identical side sequents in the 
premisses. Indeed this “additive” version of rules is more suitable in the context 
of tableau style proof search. 

An extended structural rule is admissible in R£t if 

T h V®(il A...Aln)Dr 

where x is the vector of all variables occurring in cind A is the 

disjunction of the atomic formulae A consists of. [A = True for empty Z\.) 

It follows from this definition that, indeed, all sequents provable in R£t 
augmented by admissible extended structural rules are already provable in R£t 
without these rules. 

It is important to notice that admissibility is a decidable property of rules, 
because we required all iii-sentences to be decidable in T. 

Let vars{A) denote the set of variables occurring in the sequent Z\. We call 
an extended structural rule cut rule if vars{T) [j^^-^^vars{ri), (That is at 
least one formula of the formulae is “cut out” from the premisses.) If vars{T) A 
\J^<-<nVars(ri) we speak of an analytic structural rule. 

Remark. In general, many different extended structural rules are admissible. 
They constitute on open fist of (by admissibility:) possible but (by completeness:) 
not necessary extensions of the analytic calculi defined in Section 3. 



Example 3. If T contains a transitive relation “-<” - e.g., “<” and “<” in the 
semantic theory of Godel logics - then 



F <G\n G<H\n 
F <H\n 



(tr-cut) 



is an admissible cut rule, called transitivity cut 
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If the partial ordering -< has a minimal element 0 and a maximal element 1 
distinct from 0 - again Godel logics are concrete examples - then 

F <o\n KF\n 

n 



is another admissible cut rule. 

If -< is irrefiexive - as for Godel logics - also the unary cut rules 

l<F\n F <o\n 

1~L and 1~L 



are admissible. 



Example 4- Let and 0, 1 be as in the semantic theory for Godel logics. Then 



1<F\H 

G<F\n 



{w: <: 1) 



G<o\n 

G<F\n 



(w: <: r) 



1 <o\n 

and F 



are examples of admissible analytic structural rules. The first two correspond to 
(internal) weakening in standard sequent calculi. 

An important analytic structural rule, admissible for Godel logics, is: 

F <G\H <i\n 
H <G\F <i\n 



It corresponds to an instance of Avron’s communication rule as we shall see in 
the next section. 



3.4 The connection to Avron’s hypersequent calculus 

We want to consider Avron’s calculus QLG [11] as a calculus of relations and 
therefore use an equivalent formulation, where the hypersequents are fully split 
(see Section 3). This version of Avron’s calculus consequently consists of: 

— axioms A < A 

— (external) structural rules 

— internal weakening rules (w: <:l) and [w: <:r) (see Example 4, above) 

— all <-rules of RG^o with the exception of (D: <: /), which is replaced by 

D<A\n B<G\n , 

{Ad B) <C \D <c \ n ^ ’ 

— the communication rule: 

Ai<U \ ...\Ar,<U\n Bx<V\...\Bm<V\'H ^ 

< y I . . . I < y I < [/ I . . . I < [/ I ^ (comm.) 
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(D: <: /)* is derivable from [d: <: 1) in our RGoo using transitivity cuts (see Ex- 
ample 3), which can be eliminated from proofs: 



D<A\n 



A<B\B <A 



D < B \ B < A\n 



(tr-cut) 



B<c\n 



D<C\B<A\n 

B<A\D<C\n 



(perm.) 



l<C\B<A\D<C\n 



(weak.) 



(tr-cut) 



B<c\n 



Ad B <C \ D <C \ n 






Consequently, RGoo simulates Avron’s GLC, In the other direction, it easy to 
show that pure <-sequents derivable in RGoo ^re also derivable in (the given 
version of) Avron’s calculus: Let {A < B)^ = 1 < {{B D A) D A) A {A D B) and 
(A < B)^ = 1 < A D B. Then all ^-translations of derivable RGoo-sequents of 
are derivable in GTC, since the translations of RGoo-rules are derivable in GLC, 
Concerning efficient proof search, the most important feature of RGoo is 
fact that we do not have to use the communication rule (or any similar rule 
destroying the “locality” of tableau style proof search.) On the other hand, even 
if we enrich GLC by the (more general) axioms of RGoo valid sequent 



AdB<C\A<B\C<B 



is not cut-free provable without using the communication rule. In other words: the 
communication rule cannot be avoided if “<” is eliminated from the signature. 



4 Future research 

An obvious open problem is the extension of sequent calculi of relations to first 
order logics. The subtlety of this task is highlighted by the fact that natural 
versions of quantifier rules for infinite valued Gddel logics are locally incorrect in 
our calculi. However, global correctness for sequents based on <-relations only 
can still be ensured. We plan to elaborate on this and related matters in future 
work. 

Acknowledgement. We thank the referees for their friendly, helpful and stim- 
ulating remarks. Limitations of space and time did not allow us to take up all 
of their suggestions already in this (version of the) paper. 
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Abstract. We combine techniques originally developed for refutational 
first-order theorem proving within the clause tree framework with tech- 
niques for minimal model computation developed within the hyper tab- 
leau framework. This combination generalizes well-known tableaux tech- 
niques like complement splitting and folding- up/down. We argue that 
this combination allows for efficiency improvements over previous, re- 
lated methods. It is motivated by application to diagnosis tasks; in par- 
ticular the problem of avoiding redundancies in the diagnoses of electrical 
circuits with reconvergent fanouts is addressed by the new technique. In 
the paper we develop as our main contribution in a more general way a 
sound and complete calculus for propositional circumscriptive reasoning 
in the presence of minimized and varying predicates. 



1 Introduction 

Recently clause trees [7], a data structure and calculus for automated theorem 
proving, introduced a general method to close branches based on so-called merge 
paths. In this paper we bring these merge paths to tableaux for minimal model 
reasoning (e.g. [5,12,13,14]) by extending our framework of hyper tableau [3,1,2]. 

The paper [7] is devoted to refutational theorem proving. Merge paths al- 
low branches to close earlier than it would be possible without them or when 
using merge paths to simulate known instances such as folding-down [9]. Ex- 
pressed from the viewpoint of complement splitting [10], one advantage is that 
the splitting of literals can be deferred. 

In this paper we advocate to use merge paths for model computation calculi. 
In addition to the advantages in the refutational framework, merge path allow 
one to partially re-use previously computed models instead of computing them 
again. To achieve this, new inference rules dealing with merge paths for minimal 
model computation are defined. In contrast to the purely refutational setting, 
these inference rules have to be applied with care, as termination is no longer 
a trivial property. Therefore, we give conditions for termination such that the 
central properties of minimal model soundness and minimal model completeness 
hold. More precisely, as our main result we develop such a calculus for the more 
general case of circumscriptive reasoning for minimized and varying predicates 
(Section 4). The minimal model completeness proof is given by a simulation of 
merge paths by atomic cuts (cf. Lemma 1 in Section 4). Viewed from this point. 



Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 51-66, 1999. 
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our approach can thus be seen as a more and generalized approach for a controlled 
integration of the cut rule for the purpose of minimal model computation. 

The rest of this paper is structured as follows: first we briefly give the idea 
of merge paths as defined in [7] . This presentation should be sufficient to explain 
the subsequent motivation of the new calculus from the viewpoint of a certain 
problem encountered in diagnosis tasks. In Section 2 we bring merge paths into 
trees and define an ordering on merge paths. It is employed in Section 3 in the 
new calculus. In Section 4 we show how merge paths can be simulated by atomic 
cuts and, based on that, prove soundness and completeness. Section 5 discusses 
certain aspects of the calculus (memory requirements, atomic cuts vs. merge 
paths). 

Clause trees. Merge paths are introduced and studied in [7] in the context of 
clause trees. Clause trees are a data structure that represent equivalence classes 
of resolution derivations. Merge paths are a unified inference rule and generalize 
the folding up/folding down technique of [9]. 

Clause trees consist of clause nodes and atom nodes. Clause nodes are in- 
dicated by a o. Every clause node N corresponds to some input clause X{N) = 
Ti V . . . V Tn as can be seen from the n emerging edges; these edges are labeled 
by the signs of the T^’s, and the atom parts of the T^’s can be found in the 
adjacent atom nodes. Clause trees are built in such a way that from every atom 
node exactly two edges with opposite sign emerge. This corresponds to a binary 
resolution inference. Here is an example: 




Clause set: ^ C C ^ A A, B ^ C ^ B 

Now, in addition, merge paths can be drawn between equally labeled atom 
nodes, provided that the first and final edges are also equally labelled. In the 
proceeding figure, there is a merge path from the right C-node (called the tail 
of the merge path), to the left C-node (called the head of the merge path). The 
idea is “in order to find a proof at the tail of a merge path, look it up (copy 
it) from the head of the merge path” . Thus, tail nodes are considered as proven 
and need no further extension. Thus a proof is a clause tree where every leaf is 
proven in this way or is a clause node. 

Head nodes can be part of another merge path, and then there is a depen- 
dency of the nodes on the path on the head node. In this case the “lookup” of 
proofs is done recursively. In order to terminate this, cyclic dependencies must 
be excluded. The absence of cycles in a set of merge paths is referred to by the 
term “legal”. Many of the results in [7] concerning legality and relation notions 
are derived as general properties of paths in trees. They thus can be readily 
applied to our case of hyper tableaux as well. 

Motivation: A diagnosis application. We consider consistency-based diagnosis 
according to Reiter [16]. In this scenario, a model of a device under consideration 
is constructed and is used to predict its normal behavior. By comparing this 
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prediction with the actual behavior it is possible to derive a diagnosis. More 
precisely, a diagnosis Z\ is a (minimal) subset of the components of the device, 
such that the observed behavior is consistent with the assumption that exactly 
the components in A are behaving abnormally. Computing diagnosis can also 
be formalized as a circumscription problem. 

The figure below depicts a hypothetical diagnosis scenario of an electrical 
circuit where merge paths are useful. The notation [0] in the left picture means 
that at this point the circuit is logical zero. The [0]’s at the bottom refer to input 
values of the actually observed behavior. The “Huge” box is meant to stand for 
a large circuit. The lightning at the output indicates that the predicted output 
is different from the actual output. We assume that two possible diagnoses are 
Ai = {invl } and A 2 = {inv2}. Then it is consistent to have [0] at the output of 
the and-gate, and we assume that this renders the whole description consistent. 



Circuit 




Hyper tableau 




ab(invl) ab(inv2) 

“[ 0 ]” “[ 0 ]” 




Ai A2 



. . . with merge paths 




ab(invl) ab(inv2) 
Ai A2 



Now, the crucial observation is that the computation of Z\i and A 2 show 
considerable redundancies. The hyper tableau based diagnosis approach of [2] 
would result in the tableau depicted in the middle of the figure. Diagnoses are 
read off from open branches by collecting the a6-literals found there. The trian- 
gles stand for sub-tableaux containing diagnoses of the “Huge” part. There are 
two open branches containing A\ and A 2 respectively. 

Notice that the “Huge” part has to be diagnosed twice although for its diag- 
nosis exactly the same situation applies, namely [0] at its input. This is reflected 
by the nodes “[0]”. Clearly, for the diagnosis of “Huge” it is irrelevant what 
caused the “[0]” -situation. The generalized underlying problem is well-known in 
the diagnosis community and is referred to as “reconvergent fanouts” . 

So, the symmetry hidden in this problem was not exploited. In fact, the 
merge path technique just realizes this. It is indicated in the right part of the 
figure above: after the diagnosis Z\i is computed in the left branch, and the 
computation reaches the “[0]” node in the right subtree, a merge path is drawn 
as indicated, and the branch with the right “[0]” node is closed. The price to be 
paid is that Z\i as computed so far is invalid now. Technically, the ab{invl ) literal 
can be thought of as being removed from the branch (it becomes “invisible” in 
our terminology). Hence, the computation starts again as indicated below the 
triangle. Eventually, both Ai and A 2 can be found there. 
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Why is it attractive to use such a “non-monotonic” strategy? The answer is 
that it is little effort to recompute the initial segment of the diagnosis and better 
to save recomputing the “huge” part. We do not suggest to use the merge paths 
in all possible situations. In order to be flexible and allow guidance by heuristics, 
merge paths are thus always optional in the calculus deflned below. 



Preliminaries. We assume that the reader is familiar with the basic concepts 
of first-order logic. Throughout this paper, we are concerned with finite ground 
clause sets. A clause is an expression of the form where A = (Ai, . . . , Am) 

and B = (5i, . . . , Bn) are finite sequences of atoms (m, n > 0); A is called the 
head^ and B is called the body of the clause. Whenever convenient, a clause is 
also identified with the disjunction Ai V * * * V Am V V * * * V ^Bn of literals. 

Quite often, the ordering of atoms does not play a role, and we identify A and 
B with the sets {Ai, . . . , Am} and {^i, . . . , Bn}^ respectively. Thus, set-theoretic 
operations (such as “C”, “H” etc.) can be applied meaningfully. 

By L we denote the complement of a literal L. Two literals L and K are 
complementary if L = K. In the sequel, the letters K and L always denote 
literals, A and B always denote atoms, C and D always denote clauses, S always 
denotes a finite ground clause set, and B denotes its signature, i.e. B = {AUS | 
A^BeS}. 

As usual, we represent a A-interpretation X by the set of true atoms, i.e. 
Z(A) = true iff A G X. Define X\=A^BiSBXX implies A fl X 7^ 0. Notice 
that this is consistent with other usual definitions when clauses are treated as 
disjunctions of literals. Usual model-theoretical notions of “satisfiability”, “va- 
lidity” etc. of clauses and clause sets are applied without defining them explicitly 
here. 

Minimal models are of central importance in various fields, like (logic) pro- 
gramming language semantics, non-monotonic reasoning (e.g. GCWA, WGCWA) 
and knowledge representation. Of particular interest are 1 -minimal models, i.e. 
minimal models only wrt. the i -subset of A. From a circumscriptive point of 
view, 1 ' is thus the set of atoms to be minimized, and B\X varies. In the sequel, 
r always denotes some subset of the signature A. 

Definition 1 (X-Minimal Models). For any atom set M define the restric- 
tion of M to X as M\r = M DF . In order to relate atom sets M\ and M2 define 
Ml <r M2 iff Mi\F C M2\F, and Mi =r M2 iff Mi\F = M2\F. As usual, 
the relation Mi <i M2 is defined as Mi <r M2 or Mi M2. We say that a 
model X for a clause set M is 1 -minimal (for M) iff there is no model X' for M 
such that X' <r X 

It is easy to see that is a partial order and that =p is an equivalence relation. 
Notice that the “general” minimal models can simply be expressed by setting 
F = A. Henceforth, by a minimal model we mean a A-minimal one. 

An obvious consequence of this definition is that every minimal model of S 
is also a i -Minimal model of S (but the converse does not hold in general). 
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2 Literal Trees and Merge Paths 

We consider finite ordered trees T where the nodes, except the root node, are 
labeled with literals. The labeling function is denoted by A. A branch of T is a 
sequence b = A'l, . . . , Nn) of nodes of T such that Nq is the root, Ni is an 
immediate successor node of W-i (for 1 < i < n) and Nn is a leaf node. The 
fact that 5 is a branch of T is also written as 5 G T. 

Any subsequence b' = (A ^^, . . .^Nj) with 0 < i < j < n is called a partial 
branch of b; if i = 0 then this subsequence is called rooted. Define last{b') = 
Nj. In the sequel the letter b always denotes a branch or a partial branch. 
The expression (5i,52) denotes the concatenation of partial branches b\ and 62; 
similarly, the expression {b, N) denotes (A^,. .., Aj,A), where b is the partial 
branch (A^, . . . , Aj). For convenience we write “the node where T is a literal, 
instead of the more lengthy “the node A labeled with T” , where A is some node 
given by the context. In the same spirit, we write (Ti, . . . , Ln) and mean the 
partial branch (Ai, . . . , A^), or even (Aq, Ai, . . . , A^) in case Aq is the root and 
Ni is an immediate successor node of the root, where Ni is labelled with Li (for 
1 < i < n). Further, (5, L) means (5, A), where A is some node labeled with L 
and 5 is a partial branch. 

A branch b is labeled either as “open”, “closed” or with some subset of 1\ In 
the latter case, b is called a MM-branch, and MM (5) denotes that set, which is 
called the minimal model of b. A tree or subtree is closed iff every of its branches 
is closed, otherwise it is non- closed. A tree or subtree is open if some of its 
branches are open. 

Definition 2 (Ancestor Path, Merge Path). Let T be a tree and suppose 
that T contains a rooted partial branch b of the form b = ( Aq, Ai , . . . , A^, . . . , Nn) 
with Aq being the root. Any sequence ancp{b, Ni) := (A^, A^-i, . . . , Ni), where 
n>i>f),is called an ancestor path (of b). The node Nn is called the tail and 
the node Ni is called the head of this ancestor path. Now, if it additionally holds 
that X{Ni) = A and A(A^) = ^A (for some atom A) then ancp{b, Ni) is called 
an ancestor merge path (of b). 

Let T contain rooted partial branches b^ = (Aq, Ai, . . . , A^, A^+i, . . .Nn) and 

= (Aq, Ai, . . . , Ni, M^+i, . . . Mm) with Aq being the root and m,n > i > 0 
and Mi^i ^ A^+i and such that X{Nn) = A(M^) = A for some atom A. 
Define p'^ = An,...,A^+i, p^ = and p = {p^,p^). Here, p 

is understood as a concatenation of p^ and p^ . By this definition, nodes on 
paths are written in order from tail to head. We assume that p can always be 
decomposed into its constituents p^ and p^ ; p is called a non- ancestor merge 
path of T from 5^ to b^ with tail Nn and head Mm- It is also denoted by 
mergep{b^ ,b^). The node Ni is called the turn point of p. Note that the turn 
point is not on p. 

By a merge path we mean a non-ancestor merge path or an ancestor merge 
path. The letters p and q are used in the sequel to denote ancestor paths or merge 
paths, and the letter V will be used to refer to sets of merge paths. 
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A non-ancestor merge path with m = n = i + lis called factoring, the case 
m = i + 1 is called a hook, and the case m > i + 1 is called a deep merge path. 

Definitions (Ordering on paths). Suppose the paths p = (Ni,...,Nn) 
and q = {Mi, . . . , Mm) o.s given. Define q precedes p, as q < p iff Mm € 

• • • 5 A^n-i}* say that a finite set of paths V is legal iff the -< relation on 
V can he extended to a partial order on V . Illegal means not legal. 

Notice that the -< relation is irreflexive but in general not transitive. One could 
also define a set of paths to be illegal if it contains a cycle, i.e. if there are paths 
Pi, • • • ,Pn ^ D such that pi -< P2 ^ ^ Pn ^ Pi, for some n > 1. Avoiding 

cycles is important to guarantee the soundness of the calculus. 

Example 1 (Ordering). The figure below contains examples of trees equipped 
with merge paths. The underlying clause sets can be left implicit. Merge paths 
are indicated using arrow notation. For instance, in the right tree, the arrow from 
the leaf node -lA to A indicates an (the) ancestor merge path pi = (->A, C, A) of 
the branch {A, C, ~^A) with tail -<A and head A. In the same tree, the arrow from 
the rightmost node C to the other node C indicates a non-ancestor merge path 
P2 = mergep{{B,C),{A,C)) = {C,B,A,C) with tail C (the right node) and 
head C (the other node C) and the root as turn point. In terms of Definition 2 
we have = {C,B) and P2 = {A,C). The path p2 is an example of a deep 
merge path. The merge path set {pi,P 2 } is not legal because both pi -< p2 and 
P 2 ^ Pi and hence -< cannot be extended to a partial order. The left tree contains 
two non-ancestor merge paths and both are “hooks” . 





The left and right cases are the simplest cases for illegality, as in both cases 
only two merge paths are involved. These are illegal, because the heads of the 
merge paths are mutually contained as inner nodes. The left tableau would 
correspond to an unsound combination of the “folding up” and “folding down” 
inference rules, usually avoided in implementations by choosing not to combine 
them at all. 

The new calculus to be presented below does not only construct a tableaux T as 
the derivation proceeds, but also a legal set of merge paths V. This guarantees 
soundness. 

In order to achieve minimal model computation, we have to define how in- 
terpretations are extracted from open branches. 

Definition 4 (Visibility, Branch Semantics). Let b = {Nq, N± . . . , Nn) be a 

rooted partial branch in a tree T (not necessarily a hyper tableau) with n > 0, 
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and let V be a legal set of merge paths in T. The node Ni (where {) < i < n) 
that is not the tail of a merge path in V is said to be visible from Nn wrt. V iff 
V U {ancp{b^ ^i)} legal. Define 

[(A^o, ^1, • • • , ^n)!^ = {K^i) I visible from Nn wrt. V, for 0 < i < n} . 

The set is called inconsistent iff {A, ^A} C for some atom A; con- 
sistent means ^‘not inconsistenV\ We omit ^‘wrt. when V is given by the 
context. 

The head of a merge path hides nodes that are on the path from nodes beyond the 
head, i.e. away from the direction that the head points. Those nodes that are not 
hidden from a node are visible to that node. In the definition of branch semantics 
an atom A is true in a consistent branch if and only if it is visible from the leaf. 
For instance, in the middle tableau in Example 1 we have |(A, C, ~'C)|p = 
{->C, C} and = {5, C}, where V consists of the two merge paths 

drawn there. Notice that the case n = 0 is not excluded, and it holds that 
= 0 . 



3 Hyper Tableaux with Merge Paths 

Before defining the new calculus we take one more preliminary step: suppose 
that Be {bjjy for given open branch b and legal path set V. In the trees con- 
structed in Definition 5, there is a unique node Nb in b with X{Nb) = B such 
that Nb is visible from the leaf of b^ . Consequently, the ancestor merge path 
ancpifb^ ^B)^ Nb) is uniquely defined, and it is denoted by ancp{{b, ^B)) alone. 



Definition 5 (Hyper tableaux with merge paths). Let T be a tree, b be a 
branch in T and let Li\/ — N Ln be a disjunction of literals. We say that T' is an 
extension of T at 5 with Li V * * * V iff T^ is obtained from T by attaching to 
the leaf of b n new successor nodes N'l, . . . , Nn that are labeled with the literals 
Li,...,Ln in this order. 

A selection function is a total function f that maps an open tree to one of 
its open branches. If f(T) = b we also say that b is selected in T by /. 

Hyper tableaux T for S with merge path set V - or (T, V) for short - are 
defined inductively as follows. 

Initialization step: (e,0) is a hyper tableau for S, where t is a tree consisting 
of a root node only. Its single branch is marked as ^^open^\ 

Hyper extension step with C : If (i) (T, V) is an open hyper tableau for S with 
selected branch b, and (ii) C = Ai, . . . , Am ^ Bi, . . . , Bn is a clause from S (for 
some Ai, . . . , Am and B\,. Bn and m,n> 0), and (Hi) {B \, . . . , Bn} C \h\^, 

and (iv) {Ai, . . . , Am} H = 0 (regularity) , then (T',P') is a hyper tableau 



^ Most proofs are omitted or only sketched for space reasons; the full version [4] 
contains all proofs. 
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for S, where (i) T' is an extension ofT at b with V * * * V Am V V * * * V ; 

and (a) every branch (5, ^Bi ) . . . , (5, ^B^) of T' is labeled as closed, and (in) 
every branch {b, Ai) . . . , {b, Am) of T' is labeled as open, and (iv) V' = V U 
{ancp{{b, ^Bi )), . . . , ancp{{b, ->5^))}* If conditions (i) - (iv) hold, we say that 
an ^^extension step with clause B is applicable to b 

Merge path step with p: If (i) {T,V) is an open hyper tableau for S with 
selected branch b, and (ii) p = mergep{b, b^) is a non-ancestor merge path from 
b, for some rooted partial branch b^ of T , and (Hi) last{b^) is not the tail of a 
merge path in V, and (iv) VU{p} is legal, then (T',V') is a hyper tableau for S, 
where (i) T' is the same as T, except that b is labeled as closed in T' , and every 
MM-branch b' of T with [^lpu{p}U' ^ MM{b') is labeled as open in T' , and (ii) 
B' =B \j |p}. If conditions (i) - (iv) hold, we say that a ^^merge path step with 
merge path p is applicable to b 

Minimal Model Test: If (i) (T, V) is an open hyper tableau for S with selected 
branch b, and (ii) \b\j, is a F -minimal model of S, then (T', V) is a hyper tableau 
for S, where T' is the same as T except that b is labeled in T' with If 

applicability conditions (i) and (ii) hold, we say that the minimal model test 
inference rule is applicable (to b). 

A (possibly infinite) sequence ((e, 0) = (Tq, Pq)), (Ti, Pi), . . . , (T^, Pn), • • • c>/ 
hyper tableaux for S is called a derivation, where (To,Po) is obtained by an 
initialization step, and for i > 0 the tableau (Ti,Vi) is obtained from (P_i, P^_i) 
by a single application of one of the other inference rules. A derivation of (T^, Pn) 
is a finite derivation that ends in (Tn,Pn). A refutation of tS a derivation of 
a closed tableau. 

This definition is an extension of previous ground versions of hyper tableaux 
(mentioned in the introduction) by bringing in an inference rule for merge paths 
and explicitly handling i -minimal models. The introduction of non-ancestor 
merge paths requires to explicitly keep track of the ancestor merge paths as 
well. 

The purpose of the hyper extension step rule is to satisfy a clause that is 
not satisfied in the selected branch b. An implicit legality check for the ancestor 
paths added in an extension step is carried out by excluding those atoms from 
the branch semantics that would cause illegality when drawing an ancestor path 
to them. 

An obvious invariant of the inference rules is that every open or MM-branch 
b is labeled with positive literals only and hence |5]p is consistent. Thus |5]p 
conforms to our convention of representing interpretations as the set of atoms 
being true in it. 

The purpose of the minimal model test rule is to remember that a P-minimal 
model is computed and to attach it to the selected branch b. Since usually one is 
interested only in the i -subset of models, we keep only the i -atoms. These are 
thought to be the output of the computation. Notice that for MM-branches, a 
hyper extension step is not applicable, because MM-branches are not open and 
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only open branches can be selected. For the same reason merge path steps are 
also not applicable to MM-branches. 

The purpose of the merge path step inference rule is to close branches because 
a “proof” or a model is to be found in the branch where the drawn merge path is 
pointing to. But in the course of a derivation, a previously computed 1 -minimal 
model MM(5) of a branch b might no longer be the same as l&lpli', because of 
a deep merge path step with head node (for instance) in b. Therefore, the label 
MM(5) has to be rejected and the branch has to be opened again for further 
extension. This is expressed in item (i) in the conclusion of the merge path 
step inference rule (Def. 5). Notice, however, that this happens only if some 
atom A e r in |5|p becomes invisible, not if some other literal from S \ F 
becomes invisible. Thus, some deep merge paths can still be drawn without 
causing recomputation. 



3.1 Examples 

(1) Consider the figure in Example 1 again. Closed branches are marked with 
the symbol “x” as closed. Only the tableau in the middle is constructible by the 
calculus, because the calculus rules forbid the derivation of a tableau with an 
illegal set of merge paths. In this middle tableau the left branch gets closed by 
a hyper extension step with the clause ^ C, and the right branch is closed by 
a non-ancestor merge path step as indicated. This application of a non-ancestor 
merge path step corresponds to a folding- up step in model elimination [9]. 

The right tableau shows that both ancestor and non-ancestor merge paths 
have to be taken into account for legality. 

(2) The figure below serves as an example to demonstrate the change of branch 
semantics as the derivation proceeds and the computation of models. We forget 
about the minimal model test rule for a moment. 




Suppose that the hyper tableau has been constructed. The semantics of 
the right branch b = {B^E^C) is |5]p = Suppose that this branch 

can be extended further. Suppose that the left subtree contains an open branch 
5... that makes A and C true. This is indicated by the set = {A, C, . . .}. 

Further suppose that this is a minimal model. 
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Next, let a merge path step be applied with non-ancestor merge path p to 
the tableau 0 yielding the tableau ]^. By this step, b is closed and hence 
its interpretation is rejected for the time being. A second effect of this step 
is that the node labeled with A becomes invisible from the leaf of 6 .... Thus 
~ {C', Now, this new interpretation has to be “repaired” by 
bringing in A again. This is done in the next step by extending with Ay B 
yielding a tableau [s] (which is not depicted). Notice that the minimal model 
[6.. Jp is indeed reconstructed, only in a different order. In order to reconstruct 
the rejected interpretation {5, E^C} from above that was rejected by the merge 
path step, a hyper extension s tep below the new B node with E is carried 
out. This leads to the tableaux [^. Notice that the new branch with semantics 
{C, . . . , 5, possibly contains more elements than the corresponding one with 
semantics {B^E^C}. 

It is worth emphasizing that the re-computation of models happens only in 
the case of non-ancestor merge paths with their head in open branches. Merge 
paths into closed branches are “cheap” in that no re- computation is necessary. 
Thus, in a sense, refutational theorem proving, which would stop with failure 
after the first open finished branch (cf. Def. 6 below) is found, is “simpler” than 
computing models. 

In order to demonstrate the effect of the minimal model test inference rule let 
now T = {C^E}. We start with tableau again. For the branch 6 ... the minimal 
model I&...1-P = {A, C, . . .} was supposed. Suppose that E is not contained in 
that set. Then = {C} is a i -minimal model, because is a minimal 

model. According to the minimal model test inference rule, the branch 6 ... can 
be labeled with {C} then. 

Now, consider tableau [T] . The merge path p there eliminates the 1 -minimal 
model candidate in the right branch by closing it. Concerning the left branch 
6 ..., although A has been removed from its previous interpretation = 

{A, C, its T-minimal model {C} has not been changed, i.e. = 

= {C}. Consequently the branch label {C} has not to be removed 
and 6 ... has not to be opened again. This is reflected by the result description 
(i) in the definition of merge path step. If E were A, the branch 6... would have 
to be opened again and the computation could continue as above leading to [T| . 



3.2 Finite Derivations 

Unfortunately, our calculus does not terminate in general, i.e. there are infinite 
derivations (for finite clause sets), although we employ the “regularity” test (cf. 
Def. 5). This is due to deep merge paths - without them, termination is straight- 
forward to prove. For instance, the satisfiable clause set {(A, 5 ^ ), {B,C y- 
), {A, D y- ), (C ^ A)} admits an infinite derivation (cf. [4]) even under very 
reasonable assumptions, namely that only hooks are mandatory, and that deep 
merge paths are carried out only to close branches holding non-minimal models. 
As a consequence we propose the following technique: 
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Theorem 1 (Termination Criterion). A derivation (Tq, Vq)^ . . . , (T^, Vn)^ • • • 
is finite^ provided that for every [Ti^Vi), where i>{), an applicable merge path 
step with merge path p is not carried out if for some open branch b in Ti more 
than an a priori fixed number max of occurrences of some label A is invisible 
from last(b) wrt. Vi U {p}. 

This criterion avoids infinite derivations by bounding repetitions of the same 
literal along branches. A trivial instance is max = 0. Then no deep merge paths 
but only hooks are possible. The idea underlying the criterion is that one should 
not without bound repeat the derivation of an atom that becomes repeatedly 
invisible on a branch. Due to this criterion we consider from now on only finite 
derivations. 

Definition 6 (Redundancy, Fairness). Suppose as given some hyper tableau 
(T, V) for S. A clause B is called redundant in an open branch b of T wrt. 
'P ^ B (iffBC Ibjj, implies An [b]^ 7^ 0 ). 

A branch b of T is called finished (wrt. V) iff (i) b is closed, or (ii) b is an 
MM-branch, or else (Hi) the minimal model test inference rule is not applicable 
to b and every clause A ^ B e S is redundant in b wrt. V. The term unfinished 
means ^hiot finished”. 

Now suppose as given a finite derivation D = {Tq,Vq), . . . , {Tn^ Vn) from S 
with selection function f.Dis called fair iff (i) D is a refutation, i.e. Tn is 
closed, or else (ii) f{Tn) is finished wrt. Vn- 

The selection function f is called a model computation selection function 
ijf f maps a given open hyper tableau (T, V) to an unfinished branch wrt. V, 
provided one exists, else f maps T to some other open (finished) branch. 

According to this definition, the only possibility to be unfair is to terminate 
a derivation with a selected open branch that could be either labeled with a 
1 -minimal model or extended further. 

The existence of fair derivations is straightforward because we insist on finite 
derivations. Notice that any input clause not redundant so far in a branch b can 
be made redundant by simply carrying out an extension step with that clause. 

The idea behind a model- computation selection function is that no derivation 
should stop with an unfinished branch. Since finished open branches constitute 
T-models, with such a selection function every T-minimal model is computed. 



4 Soundness and Completeness 

Lemma 1 (Soundness lemma). Let {T,V) be a hyper tableau for satisfiable 
clause set S. Then for every minimal model T of S there is an open branch b of 
T such that C X. 

The proof of Lemma 1 is done by simulating non-ancestor merge paths by atomic 
cuts, i.e. by /?-steps applied to disjunctions of the form A V ->A, for some atom 
A. The branch semantics in presence of atomic cuts is given by forgetting about 
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the negative literals, i.e. = {A e {b}^ \ A is a positive literal} for any 
consistent branch 6 in a hyper tableau with atomic cuts. 

The transformation t defined below takes a hyper tableau with cut (T, V) 
where V is legal and contains at least one non- ancestor merge path, and returns 
a hyper tableau with cut (T',P') = t(T, P) that contains one less non-ancestor 
merge path in V' (which is legal as well). The transformation t preserves the 
following invariant: for every consistent and open branch b' of T' there is a 
consistent and open branch b of T such that |6|p C [6'|p . Repeated application 
of t as long as possible results in a tableau {Tcut^Vcut) with cuts but without 
non-ancestor merge paths. All literals along all branches are visible there, and 
hence we have a “standard tableau” with cuts then. The lemma then is proven 
for this tableau, and using the invariant above it can be translated back for the 
originally given tableau (T, P). 

The transformation t itself is depicted in the figure below. The left side 
displays the most general situation. Dashed fines mean partial branches. For 
instance, the top leftmost dashed fine leading to B means the partial branch 
Pb from the root to the node (inclusive) labeled with B. Triangles are certain 
forests. The most appropriate intuition is to think of trees as branch sets. Then 
the triangle is simply the set of the branches obtained from T by deleting 
all branches that contain p b • 




Since V is legal it is extendible to a partial order <C- Let p be a minimal element 
in this order. This is the one to be transformed away. It is important to use a 
minimal element in order to prove the invariant. 

The solid lines, just like the ones below B indicate a hyper extension step; 
here, it is supposed that a hyper extension step with clause C = Ai^ ^ ^ B 

has been carried out to p^, and all the literals short of Ai and Aj (for some 
i, j G {1, . . . , n| and i ^ j) are attached to nodes in the subtree Tb. The assumed 
non-ancestor merge path p is indicated with tail node C (left) and head node 
C (right) and turn point B. There might be other non- ancestor merge paths in 
P, in particular some where the head of p is an inner node. This possibility is 
indicated in the figure as well, by the arrow pointing into Tc- The tail of this 
non-ancestor merge path, say pc is a leaf node N somewhere in T. 

Inconsistent or closed branches are marked by “x”. The effect of the trans- 
formation t is shown on the right. Notice the cut with C V -i(7 at the turn point 
B. The transformation is understood to move merge paths as well. For example. 
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the non-ancestor merge path pc still has the same head and tail node, but they 
are possibly located in different places in T' now, and also a different turn point 
might result. After transformation some branches might get closed due to the 
presence of -i(7. This is indicated by “(x)”. Notice that the transformation only 
introduces new negative literals into branches, -i(7, so that the branch semantics 
wrt. positive literals does not change, as required in the invariant. 

The central properties that have to be argued for are (i) that the tableau 
resulting from the transformation is a hyper tableau (i.e. that all negative leaf 
nodes can still be closed by legal ancestor paths), and (ii) that the invariant 
holds. This is done by expressing the invariant in terms of visibility from leaf 
nodes and then arguing with the orderings underlying V and V' . 

This lemma is applied in the proof of the next theorem, which is our main 
result. 

Theorem 2 (Soundness and Completeness). Let f be a model computa- 
tion selection function and D be a finite, fair derivation from clause set S of 
the hyper tableau {T,V). Then {MM(6) | b is aMM-branch of T} = {T\r \ 
X is a r -minimal model of S} Furthermore, ifS is unsatisfiable thenT is closed 
(refutational completeness). 

Proof. Minimal model soundness - the first theorem statement in the “C”- 
direction - is an immediate consequence of the applicability condition (ii) in 
the minimal model test inference rule and the result description (i) in the merge 
path step inference rule. Regarding minimal model completeness - the first the- 
orem statement in the “3” -direction -, suppose to the contrary that for some 
T-minimal model I of 5 there is no MM-branch of T such that |6|p =p X. 

Clearly X\F XX for some minimal model X of 5. Now, label all MM-branches 
of T as open and let T' be the resulting tableau. By the soundness lemma 
(Lemma 1) we know that T' contains an open branch b with |6|p C X. Suppose 
that 6 is a MM-branch of T. The case |6|p =r X\s impossible by the assumption 
to the contrary. Hence from |6|p X and [[6|-p C X it follows \b\j, <r X. This, 
however, is impossible by soundness, as it contradicts the given fact that X is a 
1 -minimal model. Therefore b is not an MM-branch in T. Since it is open in T' 
it must be open in X as well. We are given that D is fair. Since / is a model 
computation selection function, this implies that b is finished. 

For this particular b we show next that \b\j, =p X holds. For, suppose to 
the contrary, that {bjj, ^ holds. Again, with [[6|p C X it follows |6]p <p X. 
Since b (of X) is open - i.e. neither closed nor a MM-branch - and finished the 
minimal model test rule is not applicable and every clause from S is redundant 
in b wrt. V. In other words, {bjj, |= S. With [[6|p <p X this is a contradiction 
to the given 1 -minimality of X. Hence, |6|p =p X. But then the minimal model 
test inference rule is applicable to b, because X is given as a i -minimal model, 
and so |6|p is a X-minimal model as well. Hence b is not finished, contradicting 
the given fairness of X. So the outermost assumption to the contrary must have 
been wrong, and the theorem follows. 

Refutational completeness is proven as follows: suppose that S is unsatisfi- 
able but X is not closed. By the minimal model soundness result then X must 
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contain an open branch b (because MM-branches are impossible). Since |6|p is 
an interpretation and S is unsatisfiable, |6|p falsifies some input clause from S. 
But then a hyper extension step is applicable to b with this clause. This contra- 
dicts the given fact that D is fair. □ 

5 Further Considerations and Conclusions 

Calculi like ours and related calculi need some extra test or device to ensure 
T-minimal model soundness as well. This is due to the inherent complexity of 
the problem [6]. Fortunately, every i -minimal model candidate can be tested 
in a branch-local way for actual i '-minimality. More specifically, the approach 
suggested as the groundedness test in [12,13] is adapted in the full paper. This 
approach is attractive due to its low (polynomial) memory consumption. Since 
our approach, when forgetting about merge path steps, is an instance of the 
method of in [13], low memory assumption can be achieved in our case as well. 
This does not hold for related methods like MILO-resolution [15], or the minimal- 
model computation extension of MGTP proposed in [8], or the tableau method 
of [14], whose worst-case space complexity is exponential. 

In the proof of Lemma 1 we indicated how atomic cuts can be used to simulate 
non-ancestor merge paths. So, the question might arise why not directly use these 
cuts. The answer is manifold. First, by the mere fact that the simulation exists 
we get insights how merge paths relate to atomic cuts. Second, the graphical 
notation might be a helpful metaphor to study the topic. Third, merge paths 
correspond only to certain cuts, much like folding-down [9] or related techniques 
like complement splitting [10] also correspond only to certain cuts. Fourth, with 
merge paths, the effect is that they are surgically inserted into the path, and 
thus in this sense we procrastinate insertion of cuts until useful. 

Our approach can be viewed as a Davis-Putnam (DP) procedure. In DP, 
splitting in a certain order is advantageous for deterministic computation (unit- 
resulting steps). Our procedure can use the entire set of visible literals to achieve 
the same determinism, without pre-selecting this splitting order. 

It is generally accepted that analytic or even atomic cuts should be applied 
with care in order not to drown in the search space. This is our viewpoint as 
well. We emphasize one particular property of the transformation t (cf. the fig- 
ure in the proof of Lemma 1): in the cut simulation, the subtree Tc is moved to 
a different place in the tree. By the bare fact that the considered non-ancestor 
merge path p is legal in the merge path set containing it, we can be sure that 
the destination of Tc (the C node) contains enough ancestor literals so that Tc 
remains a hyper tableau - that all branches with negative leaves remain incon- 
sistent. Clearly, opening branches again would be undesirable as it is unclear if 
any progress is achieved then. The alternative, forgetting about Tc would cause 
a lot of recomputation. 

Of course, this and other effects and how to avoid them could be formulated 
as conditions on cuts as well. Non-termination would result if the same atomic 
cut occurs without bound on a branch. 
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Conclusions. In this paper we extended previous versions of the hyper tableau 
calculus by inference rules for merge paths, a device that was originally con- 
ceived to speed up refutational theorem proving in the context of clause trees 
[7]. Our primary goal was to investigate the consequences for model computa- 
tion purposes. Our main result is therefore a minimal model sound and complete 
calculus to compute circumscription in the presence of minimized and varying 
predicates. The motivation was given by the potential to solve a certain problem 
in diagnosis applications. 

We argued that the new calculus generalizes other approaches developed in 
comparable calculi (folding-up/down, complement splitting). How to apply the 
new technique practically^ in particular in the envisaged diagnosis domain, is 
subject to further investigations. Fortunately, the legality test is 0{\V\) and 
only negligible overhead is introduced. An algorithm is described in [7]. 

Acknowledgements. We thank the reviewers for their valuable comments. 
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Abstract. The compilation approach for Labelled Deductive Systems 
(CLDS) is used to obtain a decidable theorem prover for propositional in- 
tuitionistic logic. Previous applications of the CLDS method were based 
around a natural deduction system, together with the notion of a theory 
as a structure of points, called a configuration, and a semantic approach 
using a translation technique based on first-order logic. In this paper the 
same semantic method is used, but the proof system is instead a first or- 
der theorem prover using techniques drawn from the Davis Putnam and 
Hyper-resolution procedures. This is shown to be sound and complete 
with respect to the semantics. The resulting system is a generalisation of 
intuitionistic logic in a sense that is explained and it is briefly compared 
with other first order translation techniques. 



1 Introduction 

A general methodology based on Gabbay’s Labelled Deductive Systems (LDS) 
[7], called the Compiled Labelled Deductive Systems approach (CLDS), is de- 
scribed in [11] [4]. The method allows various logics to be formalised within a sin- 
gle framework. In this paper the method is specifically applied to intuitionistic 
logic (IL). The motivation for using LDS derives from the observation that many 
logics only differ from each other in small ways. In the family of modal logics, 
for example, the differences can be captured semantically through the proper- 
ties of the accessibility relation, or syntactically within various side-conditions 
on the proof steps. In substructural logics, the differences can be captured in the 
syntax by means of the structural proof rules. In a CLDS, capturing differences 
between logics is achieved through the use of a combined language, incorporating 
a language for wffs and a language for terms (known as labels), called a labelling 
language. Elements of the two languages are combined to produce declarative 
units of the form a : A, where a is a wff and A is a label. The interpretation of 
a declarative unit depends on the particular family of logics being formalised, 
and in substructural, or resource, logics it names a combination of resources. A 
theory built from declarative units is called a configuration and consists both 
of declarative units and literals stating the relationships between labels of the 
configuration (called i?-literals). In this LDS approach, in which IL is considered 
a resource logic, the declarative unit a : A represents the statement that the 
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“resource” A verifies the wff a. This was first exploited in [7]. Resources can be 
combined using the operator o and their power of verification compared using 
the relation Thus A ^ A' is interpreted to mean that A' can verify everything 
that A can and is thus the more powerful of the two. Depending on the prop- 
erties given to o the power of combined resources is controlled. In IL, resources 
can be copied, that is A o A ^ A, or A is just as powerful as multiple copies 
of itself. Resources can also be extended, so that A ^ A o A'. These properties, 
contraction and monotonicity, respectively, correspond to the structural rules of 
contraction and weakening of the standard IL sequent calculus. In fact, in LDS, 
all substructural logics can be treated in a uniform way, simply by including 
different axioms in the labelling algebra [1]. 

The semantics of a CLDS is given by translating a configuration into first 
order logic in a particular way, the notion of semantic entailment being defined 
with respect to such translated configurations. A set of axioms to capture the 
meanings of the logical operators, and a theory, called the labelling algebra^ are 
given and are used for manipulating labels and the relations between them. The 
language, axiom theory and labelling algebra considered in this paper for IL are 
referred to as Iclds- An example of a semantic axiom, in this case that captures 
the meaning of the ^ operator, using monadic predicates of the form [a]*, one 
for each different wff a, is \/x{[a /?]*(x) ^ Vy([a]*(i/) ^ oy))). For 

a given problem, the set of semantic axioms is implicitly instantiated for every 
wff that occurs in the problem; this set of instances together with a translation 
of the initial configuration, in which a : A is translated as [o;]*(A) can also be 
taken as a compiled form of the problem and any standard first order theorem 
prover could be used to find refutations. In previous work using CLDS [11], [4] a 
natural deduction system to manipulate configurations was defined and shown 
to be sound and complete with respect to the translated semantics. Instead, in 
this paper a decidable refutation theorem prover AlgDP based on the methods 
of Davis Putnam [5] and Hyper-resolution [10] is taken as the proof system. 

Although the CLDS approach may appear similar to the translation methods 
in [9], as used here it is part of a systematic general framework that can be 
applied to any logic, either old or new. It is also similar in spirit, for IL, to the 
standard way of translating intutionistic theorems into first order logic using a 
modal S4 theory [6] . A comparison is made with these approaches at the end of 
Sect. 3. The theorem prover developed here could easily be adapted for other 
substructural logics, although the properties of the labelling algebra for IL give 
a particularly simple system, not completely shared with the other logics. In 
case a CLDS corresponds to a known logic, the correspondence with a standard 
presentation of that logic must also be provided. First, it is shown that every 
derivation in a standard presentation of that logic can be simulated by the rules 
of the CLDS, in this case the refutation theorem prover. Second, it is shown how 
to build an interpretation such that, if a formula a is not a theorem of the logic 
in question, then there is an appropriate model in which a suitable declarative 
unit derived from a is false. 
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In the rest of the paper, Sect. 2 details the language and axioms used for Iclds , 
Sect. 3 describes the theorem prover and Sect. 4 states and proves the results 
concerning soundness, completeness and correspondence. The general approach 
will be referred to as the CLDS system whereas the refined version for IL is 
referred to as the Iclds system. The paper concludes with a brief discussion. 

2 The Refutation CLDS Approach for Iclds 

The CLDS approach for Iclds is now described more formally. Definitions of the 
language, syntax and semantics are given, and configurations are introduced. 



2.1 Languages and Syntax 

A basic CLDS propositional language is defined as an ordered pair (Cp^Cl)^ 
where is a labelling language and is a propositional language. For Iclds the 
language is composed of a countable set of proposition symbols, {p, g, r, . . .}, a 

unary connective and the binary connectives A, V, Two special proposition 
symbols are T and T, where is defined also as A ^ T and T is defined 
also as ^T. The labelling language Cp used in Iclds is a fragment of a first- 
order language composed of a binary operator o, a countable set of variables 
{x, p, z, . . .}, a binary predicate the set of logical connectives {^,A,V,^,^}, 
and the quantifiers V and 3. Literals using ^ are called constraints. Let the set 
of all wffs in Cp be {ai, 0 ^ 2 , . . then the semi-extended labelling language 
Func{Cp, Cl) comprises Cp extended with a set of skolem constant symbols 
{cai, • • •}, also referred to as characteristic labels or parameters. Terms of 
Func{Cp^ Cp) are defined inductively, as consisting of parameters and variables, 
together with expressions of the form A o A', for terms A and A', and are also 
called labels. Note that all parameters will have a special role in the semantics, 
especially cp, and that the parameter c« represents the smallest label verifying 
a. For the wff T there is the parameter 1 (shorthand for cy) that represents the 
empty resource, since T is always provable. 

To capture different classes of logics within the CLDS framework an appro- 
priate first-order theory written in the language Cp^ called the labelling algebra^ 
needs to be defined. In the case of Iclds 5 ftie labelling algebra, Ax, is a binary 
first-order theory which axiomatises (i) the binary predicate ^ as a pre-ordering 
relation, (ii) the properties identity and order preserving of the commutative and 
associative function symbol o, and (iii) the structural properties contraction and 
monotonicity. 

Definition 1. The labelling algebra Ap is the first order theory given by the 
following axioms, where x, y and z all belong to Fvnic{Cp, Cp) . 

1. (identity) Vx[l ox^xAx^lox] 

2. (order-preserving) Vx, y, z[x -<y^xoz<yozAzox<zoy] 

3. (pre-ordering) Vx[x ^ x] and Vx, y, z[x A y A y A z ^ x A z] 

4. (commutativity) Vx, y[x o y ^ y o x] 
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5. (associativity) Vx, z[{x o y) o z ■< x o [y o z)] 

6. (contraction) Vx[xox^x] 

7. (monotonicity) Vx, y[x -< x o y] o 

Syntax. The CLDS language facilitates the formalisation of two types of in- 
formation, (i) what holds at particular points, given by the declarative units, 
and (ii) which points are in relation with each other and which are not, given 
by i?-literals. A declarative unit is defined as a pair ^JormuladaheV^ expressing 
that a formula “holds” at a point. The label component is a ground term of 
the language Func{Cp^ Cl) and the formula is a wff of the language Cp. An 
i?-literal is any ground literal (constraint) in the semi-extended labelling lan- 
guage of the form Ai ^ A 2 , Ai ^ A 2 , where Ai and A 2 are labels, expressing that 
A2 is, or is not, related to Ai. In the Iclds system “related to” is interpreted 
as “subset of” and no explicit use is made of negative i?-literals. This com- 
bined aspect of the CLDS syntax yields a definition of a CLDS theory, called 
a configuration^ which is composed of a set of i?-literals and a set of declara- 
tive units. An example of a Iclds configuration is the set of declarative units 
{q ^ P)) • I5P • p) : q : : a o b} and i?-literals 

{1 ^ a, 1 ^ b}. 

Definition 2. Given a CLDS language, a configuration is a tuple where 

V is a finite set of R-literals (referred to as a diagram^ and T is a function from 
the set of ground terms o/Func(£p, Cp) to the set PW(wff(Cp)) of sets of wffs 
of Cp. Statements of the form A e F{X) will be written as A: X e C. 

2.2 Semantics 

The model-theoretic semantics of CLDS is defined in terms of a first-order se- 
mantics using a translation method. This enables the development of a model- 
theoretic approach which is equally applicable to any logic whose operators have 
a semantics which can be expressed in a first-order theory. As mentioned be- 
fore, a declarative unit a : A represents that the formula is verified (or holds) 
at the point A, whose interpretation is strictly related to the type of underly- 
ing logic. These notions are expressed in terms of first-order statements of the 
form [o;]*(A), where [a]* is a predicate symbol. The relationships between these 
predicate symbols are constrained by a set of first-order axiom schemas which 
capture the satisfiability conditions of each type of formula a. The language 
Func{Cp, Cp) is extended given by adding a monadic predicate symbol [a]* for 
each wff a oi Cp. 

Definition 3. Let Func{Cp, Cp) be a semi-extended labelling language. Let the 
ordered set of wff s of Cp beai ,. . . . . ,, then the extended labelling language, 
called Mon{Cp, Cp), is defined as the language Func{Cp, Cp) extended with the 
set of unary predicate symbols: {[ai]*, . . . , 

The extended algebra Af for Iclds is a first-order theory written m Mon{Cp, Cp) 
which extends the labelling algebra Ap with the axiom schemas given in Table 1 . 
A Iclds System S can now be defined as S = {{Cp,Cp), AlgDP). 
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In Table 1 there are the basic axioms^ (Axl) - (Ax7), and clausal axioms 
((Ax3a), (Ax3b), etc.) derived from them by taking each half of the ^ in turn. 
The first axiom (Axl) characterises the property that increasing labels A and 
A', such that A ^ A', imply the sets of wffs verified by those labels are also 
increasing. The second axiom (Ax2) characterises a special property that states 
that, if a wff a is verified by some label, then it is verified by a smallest label, 
called the a-characteristic label. Both these axioms relate declarative units to 
constraints. The others, (Ax3) - (Ax6), characterise the operators A and 

V respectively, whilst (Ax7) corresponds to the rule in Intuit ionistic logic that 
falsum implies any formula. 



Table 1. Basic and clausal semantic axioms for Iclds 



Axl: 

Ax2: 

Ax3: 

Ax4: 

Ax5: 

Ax 6: 

Ax7: 

Ax2a 

Ax3a 

Ax3b 

Ax4a 

Ax4b 

Ax5a 

Ax5c 

Ax6a 

Ax6c 



VxVy{x <y /\[a] (x) [a] (y)) 

Va;([a] (»)) ^ 32/([a] (y) A V2([a] {z) ^ y < z))) 

'ix([a fi] {x) ^ V 2 /([a] {y) [fi] (xoy))) 

Va^Ci-ia] (x) ^ V 2 /([a] (y) L : x o y)) 

Vw([a A j3] (w) ^ [a] (w) A [j3] (w)) 

\ { ([«] (c«) ^ [7] (Ca o y)) A {[fi] (c/j) ^ [7] (c/3 oy)) [7] {x O y) 
Va;([_L] {x) [a] (»)) 

Vx([a] {x) — ^ [a] (cct) Ax2b: Vx([a] (x) — ^ Ca^ ^ x) 

VxVy{[a /3] (x) A [a] (y) [l3] {x o y))) 

Vx([a — ^ f3] (x) ^ [fi] {x o Ccyf) Ax3c: Vx([a — ^ fi] (x) V [a] (caf) 
VxVy{[^a] (x)A[a] ( 2 /) ^ [T] (xoy)) 

Vx([-'a] (x) ^ [T] (xoca) Ax4c: Vx([->a] (x) V [a] (ca)) 

Vx([a A I3] (x) — ^ [a] (x) Ax5b: Vx([a A /3] (x) ^ [/3] (x) 

Vx([a] (x) A [fi] (x) — ^ [aAf] (x)) 

Vx([a] (x) — ^ [a V /3] (x)) Ax6b: Vx([fi] (x) — ^ [aV/3] (x)) 

V ? ^ /^] (^) ^ 

\Vy ( [a] (c„) ^ [7] (ca o y)) A {[fi] {cp) [7] {cp oy)) ^ [7] {x o y) 



Several of the axioms have been simplified by the use of parameters and 
(Axl) and (Ax2) (effectively applying Skolemisation). In the special case of IL 
the properties of (monotonicity) and (contraction) allow also for the ‘only if’ 
direction of (Ax6) to be simplified to Vx([a V PY(x) -A [a]*(x) V [f3Y(x))^ called 
(Ax6d). This is proved in the longer report, [2]. A further simplification, due 
to the (monotonicity) property, is possible in Iclds- Since 1 ^ 1 o x for all x, it 
follows that 1 ^ X, by (identity) and (transitivity). By means of this property it 
suffices for (Ax3c) to be replaced by [a /?]*(!) V [o^]*(a) (called (Ax3d)), since 
the original is then implied using (Axl). The clausal axioms in Table 1 (using 
(Ax3d) and (Ax6d) in place of (Ax3c) and (Ax6c) respectively), together with 
the properties of the Labelling Algebra are also called the Extended Labelling 
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Algebra, ^ It is for finite sets of instances of these axioms that a refutation 
theorem prover is given in Sect. 3. 

The notions of satisfiability and semantic entailment are common to any 
CLDS and based on a translation method which associates configurations with 
first-order theories in the language Mon{Cp^ Cl)- Each declarative unit a : A is 
translated into the sentence [c^;]*(A), and i?-literals are translated as themselves. 



Definition 4* Let C = (P, T) be a configuration. The first-order translation 
of C, FOT{C), is a theory in Mon{Cp, Cl) o.nd is defined by the expression: 
FOT(C) = V yj VIA, where VIA = {[c^;]*(A) | a G ^(A), X is a ground term of 
Func{Cp, Cl)}- 

The notion of semantic entailment for Iclds £is a relation between configurations 
is given in terms of classical semantics using the above definition. 

Definition 5. Let S = {{Cp,Cl, AlgDP) be a Iclds, C = (P, F) and C = 
{V ,F ) be two configurations of S, and FOT(C) = VyjVlA and FOT{C ) = P U 
VIA be their respective first-order translations. The configuration C semantically 
entails C , written C \=i C , iff for each A e V , Af U FOT(C) \=fol A, and 
for each [a]*(A) G VU , U FOT(C) |=fol 

Declarative units of the form a : 1 , such that ?0 |=i a : 1 , where ?0 is an empty 
configuration, are called theorems. In order to show a theorem a : 1 holds in 
Iclds 5 appropriate instances of the axioms in Af are first formed for each sub- 
formula of a, and then ^[a]*(l) is added. This set of clauses is refuted by AlgDP. 
More generally, to show that a follows from the wffs /?i, * * * the appropri- 
ate instances include those for each subformula of fii, . . . , fin, together with 
^[a]*(i), where i = o . . . and the set 



3 A Theorem Prover for the Iclds System 

As remarked earlier, the Extended Labelling Algebra Af enjoys a very simple 
clausal form. The theorem prover described, built in Prolog, uses an adaptation 
of the Davis Putnam method with Hyper-resolution, called AlgDP. The axioms 
of the Labelling Algebra, (monotonicity), (contraction) and so on, together with 
Axioms (Axl) and (Ax2a) are incorporated into the unification algorithm, called 
AlgU. Axioms (Axl), (Ax2a) and (Ax2b) were otherwise accounted for in the 
derivation of the remaining axioms and are not explicitly needed any further. 
First, some definitions are given for this particular first order theory, Af . 

Note 1. In this section, a clause will either be denoted by C, or by LAD, 
where T is a literal and D is a disjunction of none or more literals. All variables 
are implicitly universally quantified. Literals are generally denoted by L, but 
may also be of the form: L{x), when the argument is exactly the variable x, or 
L{u),L{v), L{w), when the argument contains no variables. 
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For a given set of clauses S', the set V = {ca\ccc is a parameter occuring in S} 
is called the Herbrand Domain of S and the Herbrand Universe of S is the set 
of terms formed using the operator o applied to elements from the Herbrand 
Domain. A ground instance of a clause C or literal L (written CO or LO) is the 
result of replacing each variable Xi in (7 or A by a ground term U from the Her- 
brand Universe, where the substitution 0 = {xi := ti}. L{u) unifies with L{v) 
(with respect to AlgU) iff n ^ f . Notice that unification is not symmetric. L{u) 
unifies with V iff there is a ground instance L{v) of A', L{v) = L'O^ such that 
L{u) unifies with L{v) and 0 is the minimal substitution. That is, L{v) < L{w) 
for any other ground instance L{w) of A', such that L{u) unifies with L{w). The 
unifier is the substitution 0. Subsumption is applied between literals in AlgDP 
in only two cases: L{u) subsumes L{v) iff u ^ u, and ^[T]*(x) subsumes any 
negative literal with predicate [T]*. Literal L subsumes clause (7 iff T subsumes 
a literal in (7. Positive unit clause L{u) resolves with D V ^L' to give DO iff L{u) 
unifies with D with unifier 0. A Hyper-resolvent is a clause with no negative 
literals formed by resolving a clause with one or more positive unit clauses. 



Overview of AlgDP. AlgDP operates on sets of clauses, which may be any of 
the following types: unit clauses, Horn clauses, or non-Horn clauses with one 
of the forms: [afifca) V [a ^ [^]*('^) V [/?]*(u) or Vx([a V /?]*(x) ^ 

[a]*(x) V [/7]*(x)), where u is a ground term. There is just one kind of negative 
unit clause, ^[<^]*(i), derived from the initial goal, where a is the wff to be proved 
and i = ii o . . . o is the label consisting of the parameters ii, . . . , that verify 
the formulas from which a is to be proved. Furthermore, since, as argued below, 
it is only necessary to maintain compound terms as sets, label combinations such 
diS X oy o z will be written as xyz. Consequently, as the Herbrand Domain V is 
finite, for any particular problem the size of the label terms has a known upper 
bound, equal to the size of V. This fact is used to prove termination. 

AlgDP incorporates a special unification algorithm AlgU, which is used to 
unify two literals [a]*{u) and [c^;]*(z), where z may contain a variable, implicitly 
taking into account the properties of Afi. These properties allow two labels A 
and A' to satisfy A ^ A' iff A C A' (A, A' treated as sets), for the following reason. 
The order of parameters in a label does not matter because of the properties (as- 
sociativity) and (commutativity). Duplicate parameters in A can be ignored by 
(contraction) and in A' they can be ignored by (monotonicity). The parameter 
1 satisfies additionally 1 ^ A by (monotonicity). By (identity), the parameter 1 
is only necessary in the label 1 itself, which is treated as the empty set. Further- 
more, in any ground clause, because of contraction, each literal can be simplified 
by removing from any label any duplicate parameters. Thus [a]* (aba) V [/?]*(acd) 
can be simplified to [a]*{ab) V [/?]*(acd). In fact, the two clauses are equivalent 
in the first order theory Afi : The first clause implies the second because of 
(contraction) and the second implies the first because of (monotonicity). As for 
unification, there are only a restricted number of kinds, which will be considered 
after the steps of AlgDP have been described. (The rule embodied in (Ax7) is 
included in the following way. Instead of explicitly deriving [a]*(x) from [T]*(x), 
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for every “useful” a, the matching algorithm AlgU allows [A]*(x) to be unified 
with [o6]*{y) if x unifies with y.) 

The initial set of clauses for refuting a formula a are derived from instances 
of the semantic axioms appropriate for the predicates occurring in the first order 
translation of a (called the “appropriate set of clauses for showing a”). There 
are seven different rules in AlgDP, which can be applied to a finite fist of clauses. 
Five of these are defined below. The other two are a purity rule and a simplify 
rule and are only necessary for efficiency sake; they are omitted here for space 
considerations but can be found in the full version [2]. Ground unit clauses in a 
list, derived by the (Hyper) or (Split) rule, are maintained as a partial model of 
the initial clauses. An outline Prolog version of AlgDP is given, which is shown to 
be correct in Sect. 4. The actual implementation is rather less non- deterministic 
to avoid making redundant checks. For example, subsumption is checked after 
any new unit clause is generated. The following rules are available: 

End A list containing an atom and its complement is marked as successfully 
finished. The only negative unit clause is the ground clause stating the initial 
goal. 

Subsumption Any clause subsumed by a unit clause L is removed. 

Fail A list in which no more steps are possible is marked as failed and can be 
used to give a model of the initial clauseset. 

Hyper A hyper- resolvent (with respect to AlgU) is formed from a non-unit 
clause in the fist and (positive) unit clauses in the list. Only hyper- resolvents 
that cannot immediately be subsumed are generated. 

Split Given a list of clauses L containing ground clause L' V T", two new lists 
[L'\L~] and [L"\L~] are formed, where L~ results from removing L' V L" 
from L. The algorithm is then applied to each list. 

The outline Prolog program for AlgDP is given next. Given a fist of clauses S 
derived from a particular Iclds, to show S are unsatisfiable or to find a model 
of S, call dp{S, F, F), where 

dp{S, F, R) holds iff F = false and F can be extended to a model of clauses 
in S, or R = true and S has no model. 

There can be no tautologies in S because of the way the clauses are set up and 
assume there are no initially subsumed clauses. In dpi the first argument is the 
current set of positive unit clauses and F and R are initially variables. 

0 ( start ) . dp(S,F,R) dpi ([ ],S,F,R)- 

l(fail). dpl(M,S,M, false) noRulesApplicable (M, S) . (The Fail rule) 
2(end) . dpi (M, S ,[], true) endlsApplicable (S ,M) . 

3(subsume). dpl(M,S,F,R) •“ subsumed ( C, M, S) , remove (C,S ,NewS) , 
dpK M,NewS,F.R) . 

4 (hyper) . dpl(M,S,F,R) •“ hyper (M, S, New) , add(New,S,M,NewS ,NewM) , 
dpl(NewM,NewS,F,R) . 

5(split). dpl(M,S,F,R) split (M, S,NewS , SI ,S2) , 

dpKESllM] ,NewS,Fl,Rl) ,dpl([S2|M] ,NewS,F2,R2) , 
join(Fl ,F2,F) , and(Rl ,R2 ,R) • 
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The predicates used in the Prolog version of AlgDP can be interpreted as follows: 
add(New,S ,M,NewS,NewM) holds iff the units in New derived from the (Hyper) 
rule are added to M to form NewM and disjunctions in New are added to 
S to form NewS. and(X,Y,Z) holds iff Z = X A T. endIsApplicable(S ,M) 
holds iff (End) can be applied to (S', M). hyper (M,S, New) holds iff New is 
the set of hyper-resolvents using unit clauses in M and a clause in S, that do 
not already occur in M. join(Fl ,F2,F) holds iff F is the union of FI and 
F2. noRulesApplicable(M, S) holds iff there are no applicable rules to (M, 
S). remove(P,S,NewS) holds iff clause P is removed from S to give NewS. 
split (M,S, News, S1,S2) holds iff SI V S2 is removed from S to leave NewS. 
subsumed (C,M,S) holds if Clause C in S is subsumed by clauses from S or M. 

Overview of AlgJJ. An analysis of the unifications that need to be made in the 
system reveals them to be of the following kinds. (In the following, z is always 
a variable and g\ and g 2 are ground labels, w is an arbitrary label.) (1) 
Unification of ^ in a positive literal with z in a negative literal in the (Hyper) 
step. The unifier is {z := g}. (2) Unification of gi in a positive literal with g 2 in a 
negative literal in the (End) step. It succeeds either if g± < g 2 ^ that is if gi Q g 2 - 
(3) Unification of ^ = ^la in a positive literal with a label za, which succeeds 
with unifier {z := gi}. In the case that g does not contain a, then the unifier is 
{z := g}. (4) Special case of the (Hyper) step applied to axiom (Ax5a); consider, 
as an illustration, the clause [o;]*(z) A [/?]*(^) ^ [a A /?]*(^) and the literals 
[a]* (a) and [/?]*(&)• By monotonicity, a ^ ab and b ^ ab, so [a A /?]*(a6) can be 
derived. However, when using the (Hyper) rule, if a simple-minded unification 
is made between a and z, binding z to a, the second unification will fail as it 
would require 6 C a. In such a case, the first binding to z should be {z := az±} 
and then the second yields {z± := 6}, with the final unifier {z := ab}. In all four 
unification cases, the resolvent is either a ground positive unit clause or a ground 
disjunction of two positive literals. According to the definition of unification, a 
variable z is always bound to the smallest ground term g± that is possible. This 
is correct because for any larger term g 2 = gix, g± ^ g 2 by (monotonicity) 
and is catered for by AlgU. Moreover, any duplicate atomic labels in the label 
arguments, which can only arise in the (Hyper) rule using a clause with two 
negative literals, are removed. 

Examples. An example of a refutation is given in Figure 1, in which the theorem 
(a ^ /?) ^ (^/? ^ ^a) is proved. For simplicity, the parameters used are called 
a^b^c^ . . . instead of having the form etc. and the predicates A and B are 

used in place of [a]* and [/?]*. The calls to dpi can be arranged into a tree, 
bifurcation occurring when the (Split) rule is used. In the derivation in Fig. 1 
each line, after the initial clauses, records a derived clause. Derived unit clauses 
would be added to an accumulating partial model M, which is returned in case 
of a branch ending in failure. In Fig. 1. for example, there are three branches 
in the tree of calls to dpi, which all terminate with the use of the (End) rule. 
They all contain fines (1) - (8) implicitly, and then the first branch contains fines 
(9) - (15), the second branch contains fines (9), (10), (16), (17), and the third 
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contains lines (9), (10), (18)- (20). On the other hand, Fig. 2 gives an example 
of a failed derivation for a non-theorem of Intuitionistic logic, namely a. 



Initial clauses: 



Initial translation: 



(1) Po{d) Po{x) 

(2) ^Ps{d) Pi{x) 

(3) Po{x) A A{y) B{xy) P 2 {x) 

(4) P 2 (C) VP3(1) Pz{x) 

(5) Pi{xc) Pz{x) 

(6) P 2 {x)AB{y) [1] (xy) (9) 

(7) ^(a)VPi(l) (10) 

(8) [_L] (a*) ^Pi(®) (11) 



[of — /3] ( 2 ^) 
[-a] (x) 

[-/3] (®) 

[->/3 — ^ -la] (x) 
Derivation: 

(Split (7)) A{a) 
(Hyper (3)) Bida) 
(Split (4)) P2(c) 



(12) (Hyper (6)) [1] {cda) 

(13) (Hyper (8)) Pi(cd) 

(14) (Hyper (5)) Pz{d) 

(15) (End ) 

(16) (Split(4)) Pa(l) 

(17) (End) 

(18) (Split (7) Pi(l) 

(19) (Hyper (5)) Pa(l) 

(20) (End) 



Fig. 1. Refutation of (a — ^ /3) — ^ (->/3 — ^ ->a) in Iclds using AlgDP 



Initial clauses: 

(1) -A(i) 

(2) Pi(a)VPo(l) 

(3) A{ax) — ^ Po{x) 

(4) Po{x) A Pi{y) A{xy) 

(5) P2(6))VPi(1) 

(6) [_L] (bx) Pi{x) 

(7) Pi{x) A P 2 {y) ^ [P] (xy) 

(8) ^(C)VP2(1) 

( 9 ) [ 1 ] {cx)^P2{x) 

(10) P 2 {x) A A{y) [±] (xy) 



Initial translation: 
Po{x) [- -la — > a] (a;) 
Pi (a;) [-'-'a] (x) 

Pa (a;) [-la] (x) 

Derivation: 

(11) (Split (2)) Po(l) 

(12) (End) 



(13) (Split (2)) Pi (a) 

(14) (Split (8)) P2(l) 

(15) (Hyper (7)) [_L] (o) 

(16) (Hyper (3)) Po(l) 

(17) (End ) 

(18) (Split (8)) A(c) 

(19) (Hyper (3)) Po(c) 

(20) (Split (5)) Pi(l) 

(21) (Eail) 



Fig. 2. Attempted refutation of -i-ia — ^ a in Iclds using AlgDP 



There are three branches followed in the tree of calls to dpi, the last of 
them ending at line (21). Note that in line (16) (Ax7) is used implicitly to derive 
A{a) before using (3). The resulting model is M = {Pq{c), Pi(1), A(c)} (the atom 
Pi (a) is subsumed by Pi(l)). A model of the initial clauses, EndM , is extracted, 
by assigning true to all literals in the Herbrand Base that are subsumed by a 
literal in M and assigning false to all other literals in the Herbrand Base. The 
reader can check that this gives a model of the clauses (1) - (10) in Fig. 2. This 
model can also be seen to correspond to a standard Kripke countermodel for this 
formula. Notice, that in Fig. 1, only some of the appropriate axioms have been 
included. For example, there might have been expected clauses such as Pi(x) A 
A{y) [T]*(xy), that is clauses derived from both halves of the appropriate 
equivalence schemas. However, it is only necessary to include a restricted number 
of clauses, based on the polarity of the sub- formula occurrences (see [2]). It is. 
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however, easier to show the correspondence with intuitionistic logic when both 
halves of the schema equivalences are included, and this is the assumption made 
in this paper. 

Comparison. The example in Fig. 2 is used to make a comparison with other ap- 
proaches to embedding IL in classical logic. In the standard translation approach 
for the example, based on a possible worlds semantics, the sentences of FOL 
that are obtained for refutation are the following: (i) \/x[R{x, y) A a{x) <^( 2 /)], 
which expresses that a true formula remains true in all accessible worlds, to- 
gether with the refiexivity and transitivity of the accessibility relation i?, and 
(ii) VxVi/[Vz[i?( 2 /, 2 ;) ^ 3w[R{z,w) A 06 {w)]] A R{x,y) 06 {y)], which is the 
translation of the formula ^ a, which is to be proved. Sentence (ii) is 

then negated ready for refutation, yielding i?(a, 6), ^a{b) and \/z[R{b^z) 
3w[R{z,w) A a(ic)]], in which a and b are Skolem constants. Without some 
careful strategies, standard resolution will not, in general, terminate for such 
translated formulas. On the other hand, the CLDS approach allows for IL to 
be treated as a resource logic and additional properties in the labelling algebra 
such as (monotonicity) enable simple decidable strategies to be used. There is 
also similarity with the functional translation method [9], which for this exam- 
ple gives the translation V7[V^3^'[a(0.7.^.^')] ^ a(0.7)]. An argument such as 

0 . 7 .^ represents a path obtained by applying functors 6 and 7 to world 0 that 
leads from 0 to an accessible world. In this case, a refutation is not possible, as 
after negating the two clauses a{0.a.x.b{x)) and ^a(O.a) are obtained, which do 
not unify (using the special unification algorithm of that approach). In general, 
careful unification strategies are again needed for termination, see [12], in which 
it is also shown that the Skolem function b{x) of this example can be eliminated 
in favour of a constant. In the CLDS approach the difficulties with termination 
are compiled into the use of the structural rules in the labelling algebra. More- 
over, although in this example a model can be extracted from the failure, it is 
not as obvious as in the more explicit CLDS approach. 

Properties of AlgDP. There are several properties that can be stated about the 
relationship between the Semantics given by the Axioms in the Extended La- 
belling Algebra Af and the procedure AlgDP. They are all stated in Theorem 1 
and are proved in Sect. 4. 

Theorem 1. Let S be a Iclds, <y be a propositional IL formula and Af (a) be 
the particular clauses and instances of the Semantic Axioms for showing a, and 
Ga = A~^ (a) U {^[ck;]*(l)}. Let AlgDP be initiated by the call dp{Ga,F,R) for 
variables F and R, then the following properties hold: 

1. If AlgDP returns R = true then Ga |=fol- 

2. If AlgDP returns R = false then F is a partial model of Ga ond Ga ^fol- 

3. AlgDP terminates. 

4 . If a is also a Hilbert theorem of propositional intuitionistic logic (i.e. a can 
be derived from the Hilbert Axioms for IL and Modus Ponens), then Ga |=fol- 

5. If Ga |=FOL then a is a theorem of IL. 
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Properties (1) and (2) are soundness and completeness results for AlgDP, in the 
sense that they show the algorithm is correct with respect to finding refutations* 
These properties, together with Property (3), are proved in Sect. 4.1 and show 
that AlgDP is decidable. Properties (4) and (5) show that AlgDP corresponds 
with IL, (4) showing it gives a refutation for any theorem of IL, and (5) showing 
it only succeeds for theorems. These properties are shown in Sect. 4.2. 

4 Proving the Properties of AlgDP 

In this section properties (l)-(3) of Theorem 1 are proved. The proof of Property 
(3) is given by Lemma 1, whilst Lemma 2 shows Properties (1) and (2). 

4.1 Soundness and Completeness of AlgDP 

Definition 6. The DPSize of a call dpl(M, 5, F, R) is a pair {clausect, unitct), 
where claused counts the number of clauses in S and unitct counts the size 
of M . Given DPSizes (x, y) and (u^v), then (x, y) <dp iff x < u or 

X = u Ay < V. 

Lemma 1. Given an initial call dpl(M, S', F, R), AlgDP will always terminate. 

Proof Note first that in all cases of AlgDP except (Hyper), the DPSize of the 
recursive call is smaller than the DPSize of the conclusion. Since the relation <dp 
is well-founded, after a finite number of steps either there must be a (Hyper) 
step or there is termination. For (Hyper) steps, notice that once a unit H has 
been generated by (Hyper) there is always a unit in M that subsumes H (which 
may be H itself), and so H is never again generated. Since there are only a 
finite number of possible units, limited by the finiteness of parameters, there 
is a maximum number of (Hyper) steps that can be made. Thereafter the only 
possible steps are those that reduce the DPSize. 

□ 

Lemma 2. Each clause of dpi satisfies the following invariant, called (INV). 
Either, R = false, MCE and F can be extended to a model of S, or, 

R = true, F = [] and M U S have no models. 

Proof. For each of the five clauses of dpi it is shown that if the dpi conditions 
of the clause satisfy invariant (INV) and the other conditions are also true, then 
the dpi conclusion of the clause satisfies (INV) also. 

Fail R is false; all rules have been applied and F = M. Certainly, MCE, and 
also F can be extended to a model Mq of S (which may now be empty) 
as follows. Any literal subsumed by a literal in M is true in Mq. All other 
literals are false in Mq. The clauses left in S can only generate subsumed 
clauses or they are negative units. Suppose there is a non-negative clause C 
in S that is false in Mq. That is, for some instance C' , of C, its condition 
literals are true in Mq and its conclusion is false in Mq. If the conclusion is a 
single literal then, as (Hyper) has been applied, the conclusion is either true 



78 



Krysia Broda and Dov Gabbay 



in M, and hence in Mq, or it is subsumed by a clause in M, and again is true 
in Mo, a contradiction. If the conclusion is a disjunction, then (Split) must 
have eventually been applied and the conclusion will again be true in M, or 
the disjunction is subsumed by a literal in M, contradicting the assumption. 
In case C is a negative clause in S', then if it is false, some instance C = 
is false, or L is true in Mq. But in that case (End) would have been applied, 
leading to a contradiction. 

End R is true; since (End) is applicable, M U S have no models; also F = []. 
Subsume Suppose (INV) is satisfied by dpl{M, NewS, F, R) and R = false. 
Then M C F and some model Fq of F is a model of NewS. Let C be the 
subsumed clause removed from S. Then in case C is subsumed by a positive 
ground unit in M, by the axiom (Axl) Fq makes C true. No clause can be 
subsumed by the negated goal clause since it is ground and no other negative 
literals in S are ground. Thus Fq is also a model of S. In case R = true, then 
NewS U M has no models so S' U M have no models either; also F = [ ]. 
Hyper Suppose (INV) is satisfied by dpl{NewM, NewS, F, R) and R = false, 
NewM C F and some model Fq of F satisfies NewS. Then M C F and Fq 
is also a model of M that makes S true. In case R = true, F = [ ], then 
every model of NewM falsifies NewS. Suppose there is a model Mq of M 
that is also a model of S. Therefore, there is an instance C" of clause C in 
S to which (Hyper) is applied, but such that the conclusion of C , which 
is either in NewS or NewM, is false in Mq. Since (Hyper) is applicable to 
C', the conditions must occur in M and hence be true in Mq. But then the 
conclusion must also be true in Mq, a contradiction. Hence all models of M 
do falsify S as well and M U S' have no models. 

Split Suppose that dpl{[Sl\M], NewS, FI, FI) and dpl{[S2\M], NewS, F2, R2) 
both satisfy (INV) and that both R1 = R2 = true. Then F = [], since 
FI = [ ] and F2 = [ ]. Also every model of [S1|M] and of [S2|M] falsifies 
NewS. Therefore, any model of M must make either SI true and hence 
NewS and S false, or S2 true and NewS and S false, or both SI and S2 
false, and again S false as SI V S2 G S. On the other hand, suppose one of 
FI or F2 is false, say FI, [S1|M] C FI and some model Fq of FI satisfies 
NewS. In this case Fq also satisfies SI V S2. Similarly, if F2 is false, there is 
a model of F2 3 [S2|M] that satisfies SI V S2. Finally, MCFasMCFl 
or M C F2. 

Suppose that on termination, after the initial call dpl([], S, F, F), the final values 
of S, M, R and F are given by S', M', F' and F'. If the value of F' is true, then 
the invariant (INV) implies that F' = [ ] and M'U S' have no models. Therefore, 
the initial call of dpl{[ ], S, F', F') also satisfies the invariant (INV) and S has no 
models. (F' and F' are used since their values are only assigned at termination 
of dpi.) On the other hand, if the value of F' is false, then F' yields a model 
for S'. Therefore, by the invariant (INV), the initial call dpl{[ ],S, F',F') also 
yields a model of S. Properties (1), (2) and (3) of Theorem 1 are therefore true. 

□ 
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4.2 Correspondence of Iclds with Intuitionistic Logic 

In order to show that the refutation system Iclds presented here for Intuitionistic 
Logic does indeed correspond to a standard Hilbert axiom presentation it is 
necessary to show that theorems in the two systems correspond (Properties 4 
and 5 of Theorem 1). The complete set of axioms is shown in Table 2. Axioms 
(12), (13), (14) and (15) correspond, respectively, to monotonicity, contraction, 
distributivity and permutation. A useful axiom, (114), is derivable also and is 
included for convenience. Axioms (16) to (18) capture negation and (19) to (113) 
capture conjunction and disjunction. Respectively, Theorems 2 and 3 state that 
theorems in IL obtained from a standard Hilbert presentation of IL, together with 
the rule of Modus Ponens (MP), are also theorems of AlgDP and that theorems 
of Iclds are also theorems in the Hilbert System of Intuitionistic Logic. 



Table 2. The Hilbert axioms for Iclds 
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It is fairly easy to show that a refutation of a translated theorem T of IL 
exists using the appropriate equivalence schemas from the semantic axioms. But 
a stronger result, namely, that a refutation exists when only the restricted set 
of axioms for T is used, can also be shown. This allows a failed refutation (for 
non-theorems) to be found more quickly as fewer axioms are included, but it is 
more complex to prove. 

Theorem 2. Let P he a Hilbert theorem of IL then {^[P]*(l)} and the appro- 
priate set of instances of the semantic axioms (equivalences) for ^[P]*(l), Ps, 
has no models. 

Proof. {Outline only.) Let Ps be the set of defining equivalences for P and 
its subformulas, \/x[[P]*{x) ^ R{x)] be the defining equivalence for [P]* and 
Vx[[P]*(x) ^ Tp{x)] be the resulting equivalence after replacing every occur- 
rence in R{x) of an atom that has a defining equivalence in Ps by the right- 
hand side of that equivalence. Then Tp{l) is always true. Therefore, there are 
no models of Ps and ^[P]*(l). This property of Tp{l) is shown by induction 
on the number of (MP) steps in the Hilbert proof of P. In case P is an ax- 
iom and uses no applications of (MP) in its proof then the property can be 
seen to hold by construction. Let the property hold for all theorems that have 
Hilbert proofs using < n applications of (MP), and consider a theorem P such 
that its proof uses n (MP)steps, with the last step being a derivation from P' 
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and P' P. By hypothesis, Tp (1) is true and Tp ^p(l) is true. Hence, since 
\/x[Tp -^p{x) ^ yu[Tp (u) Tp{ux)]], then Tp(l) is also true. 

□ 

Theorem 3. Let Qa be the set of instances of Af for showing a (not including 
then if there exists an AlgDP refutation in Iclds U ^[a]*(l) then 
there is a Hilbert proof in IL of a, which is therefore a theorem of IL. That is, 
if Ga: ~'[*^] (1) H FOL then \~m 

Proof Suppose 0a,^[a]*(l) |=fol, hence any model of Ga is also a model of 
[a]*(l); it is required to show hni a. Lemma 3 below states there is a model 
M of Af , and hence of Ga: with the property that [o;]*(l) = true iff hni a. 
Therefore, since M is a model of Af it is a model of [o;]*(l) and hence hni o; 
is true, as required. The desired model is based on the canonical interpretation 
introduced in [1]. 

□ 

Definition 7. The canonical interpretation for Iclds 'Is an interpretation from 
Y\mc(Cp, Cl) onto PW{Cp) defined as follows: 

- \\ca\ \ = {z \\- HI 06 ^ z} , for each characteristic label c^; 

- j|A o A'll = {z \\~Hi a A p ^ z} , where a G ||A|| and /? G ||A'||; 

- ||1|| = {z l^Hi z} and ||cx|| = {z ± ^ z} = Cp; 

- l|:<ll = {(lklUMI)lll^l|c||2/||}. 

- IIN1I = {l|a;|l I « e ||a;||}. 

The canonical interpretation is used to give a Herbrand model for Af, by setting 
[a]*{x) = true iff a G ||x||. This means, in particular, that if [o;]*(l) = true then 
a G ||1|| and hence Khi cx. The following Lemma, proved in the full version [2], 
states that the canonical interpretation of Def. 7 is a model of Af. 

Lemma 3. The properties of the labelling algebra Ax given in Def. 1 and the 
semantic axioms of Af are satisfied by the canonical interpretation for Iclds- 

5 Conclusions 

In this paper a new method, that of Compiled Labelled Deductive Systems, 
based on the principles in [7], is applied to Intuitionistic Logic. The method of 
CLDS provides logics with a uniform presentation of their derivability relations 
and semantic entailments and its semantics is given in terms of a translation 
approach into first-order logic. The method is used to give a presentation of 
Iclds, which is seen to be a generalisation of Intuitionistic Logic through the 
correspondence results stated in Section 4. In fact, the CLDS approach yields a 
generalisation of IL, although this hasn’t been exploited here. 

The translation results in a compiled theory of a configuration. A refuta- 
tion system based on an extension of the Davis Putnam procedure is defined for 
this theory, that is well suited to the case of Iclds • The prover also uses Hyper- 
resolution with splitting and a particular unification algorithm, which together 
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result in only ground clauses ever being derived. It yields a decidability test 
for formulas of propositional Intuitionistic Logic. Other standard approaches to 
providing a first order representation of IL do so by translating IL sentences into 
the modal logic S4 [6], and the CLDS method and such approaches were com- 
pared through examples. However, it is emphasised once more that the method of 
CLDS is a uniform approach that can be applied to give new logics, as well as old 
ones. Only the case of Intuitionistic Logic has been considered here, but Linear 
Logic is considered in [4] . Labelling algebrae for Linear Logic use the properties 
(1) - (5) of Def. 1 and for Relevance logic the (contraction) property is added too. 
(See [1] and [4] for a full discussion of this issue.) In the presence of monotonicity 
the algorithm AlgDP can be restricted to deriving ground clauses and it would 
also be suitable for other logics that include the monotonicity property, such as 
Lukasiewicz fuzzy logic. On the other hand, the monotonicity property does not 
hold for Linear Logic, and, for example, instances of (Ax3b) would take the form 
Vx([a]*(a) V [a ^ /?]*(x)) and one branch of a (Split) rule application would in- 
clude [a ^ PY{x) for all values of x. Together with an instance of (Ax3a) this 
could lead to atoms of the form [/?]*(x o A), for some ground or variable label A. 
Furthermore, in Linear Logic, for instance, labels must be treated as multisets of 
the composing parameters, so, for example, [o;]*(a) does not subsume [a]*{aa) 
any more. Decidability becomes a more difficult issue. For a classical system, 
the requirement c« = can be added to the labelling algebra, which allows 
the double negation rule to be derived. In Fig. 2, this allows for a and c to be 
identified, so allowing the proof to terminate successfully. 

Acknowledgement. The authors acknowledge their debt to foundation work in 
[1] and thank the anonymous referee who indicated a potential error. 

References 

1. M. D’Agostino and D. Gabbay. A generalisation of analytic deduction via labelled 
deductive systems. Part I: Basic substructural Logics. Journal of Automated Rea- 
soning, 13:243-281, 1994 67, 80, 81, 81 

2. K. Broda, A compiled labelled deductive system for propositional intuitionistic 
logic (full version) available from K. Broda, 1998. 70, 73, 75, 80 

3. K. Broda, M. Finger and A. Russo. Labelled Natural Deduction for Substructural 
Logics. Accepted, Journal of the International Group for Pure and Applied Logics. 

4. K. Broda and A. Russo. A Unified Compilation Style Labelled Deductive System 
for Modal and Substructural Logic using Natural Deduction. Technical Report 
10/97. Department of Computing, Imperial College 1997. 66, 67, 81, 81 

5. C. L. Chang and R. Lee. Symbolic Logic and Mechanical Theorem Proving. Aca- 
demic Press 1973. 67 

6. M. Fitting. Proof Methods for Modal and Intuitionistic Logic. D. Reidel, 1983. 67, 
81 

7. D. Gabbay. Labelled Deductive Systems, Volume I - Foundations. OUP, 1996 66, 
67, 80 

8. J. H. Gallier. Logic for Computer Science. Harper and Row, 1986. 



82 



Krysia Broda and Dov Gabbay 



9. H.J. Ohlbach. Semantics- based translation methods for modal logics. Journal of 
Logic and Computation, 1 (5):691-746 1991. 67, 76 

10. J.A. Robinson. Logic, Form and Function. Edinburgh Press 1979. 67 

11. A. Russo. Modal Logics as Labelled Deductive Systems. PhD. Thesis, Department 
of Computing, Imperial College, 1996. 66, 67 

12. R. A. Schmidt. Resolution is a decision procedure for many propositional modal 
logics. Advances in Modal Logic, Vol.l: 189-208, CSLI 1998. 76 



Intuitionisitic Tableau Extracted 



James Caldwell 



Department of Computer Science 
University of Wyoming 
Laramie, WY 

caldwell@denali . cs . uwyo . edu 



Abstract. This paper presents a formalization of a sequent presenta- 
tion of intuitionisitic propositional logic and proof of decidability. The 
proof is implemented in the Nuprl system and the resulting proof ob- 
ject yields a “correct-by-construction” program for deciding intuition- 
isitc propositional sequents. The extracted program turns out to be an 
implementation of the tableau algorithm. If the argument to the result- 
ing decision procedure is a valid sequent, a formal proof of that fact is 
returned, otherwise a counter-example in the form of a Kripke Counter- 
model is returned. The formalization roughly follows Aitken, Constable 
and Underwood’s presentation in [1] but a number of adjustments and 
corrections have been made to ensure the extracted program is clean (no 
non-computational junk) and efficient. 



1 Introduction 

Confronted with the notion of automated verification the astute skeptic cor- 
rectly asks, “Who verifies the verifier?” This paper, presenting a formally devel- 
oped decision procedure for a sequent presentation of intuitionistic propositional 
logic, addresses the skeptics question, even if only peripherally. We describe the 
formalization and mechanical checking, in Nuprl, of a proof that intuitionistic 
propositional logic is decidable. The program extracted from the formal proof is 
a tableau decision procedure: invoked with a sequent as its argument, it returns 
either a multi-succedent sequent proof or a Kripke counter-example depending 
on whether the formula to be decided is valid or not. With the proof of decidabil- 
ity as our focus, we describe the formal development of a sequent proof theory, 
the tableau construction, and a formal theory of Kripke counter-examples which 
are used here as evidence of unprovability. A principle goal of the work reported 
here is the extraction of a reasonably readable and efficient program from the 
formal proof via the “proof-as-programs” interpretation implemented in Nuprl. 

1.1 Related Work 

In a series of papers [19,18,20,1], Underwood and her colleagues presented con- 
structive completeness proofs for intuitionistic propositional logic having tableau 
decision procedures as their computational content. The work reported on here 
extends those efforts. Underwood worked out a type theoretic presentation of the 
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problem and presented informal proofs, including a new termination argument 
for the tableau construction. The formalization and proof presented here follows 
the proof presented in the paper by Aitken, Constable and Underwood [ 1] (here- 
after referred to as ACU.) A fuller account of the formalization and proof can be 
found in [6]. In this paper we describe the formal implementation in Nuprl and 
adjustments made to the formalization that result in a readable and “efficient”^ 
extracted program. 

The idea of verifying decision procedures is not new but actual verifications 
are not common. One example that has published at least five times and in 
a number of systems is Boyer and Moore’s (classical) propositional tautology 
checker which takes the form of an IF-THEN-ELSE normalization procedure. Of 
those efforts, Paulin-Mohring and Werner’s extraction of an ML program [14] 
is closest in spirit to the presentation here. Both Shankar [16] and Hayashi [12] 
have verified deciders for implicational fragments of classical propositional logic 
presented in sequent forms. Caldwell [4,6] extracted a tableau decision procedure 
from a proof of the decidability of a sequent presentation of classical propositional 
logic. 

Weich [21] formalized a proof of decidability for the implicational fragment 
of propositional intuitionistic logic in MINLOG. His work is also closely related 
to the proof presented here; indeed, his effort was also inspired by Underwood’s 
formulation of constructive decidability. Weich ’s proof differs from the one re- 
ported on here in that it is based on a contraction- free calculus. He reports [22] 
that the extracted program is huge (about 60KB) and efforts are underway to 
minimize its size. 

1.2 Results 

The program extracted from the proof of intuitionistic decidability presented 
here is the first to include a full propositional logic, i.e. the logic formalized 
here includes propositional variables, a constant denoting false, and operators 
for conjunction, disjunction, and implication. The extracted program is readable 
and efficient in the sense that it does not perform extraneous computation related 
to the logical part of the specification, nor does it contain unreadable artifacts 
of the proof in its text. These qualities will be most evident to those familiar 
with the state of the art in program extraction. 

In the course of the development presented here, a number of minor er- 
rors in the ACU presentation were discovered, additionally a more serious error 
was uncovered. Indeed, discovering errors like these is one point of formal ma- 
chine checked proofs. The presentation here differs from that of ACU in two 
significant ways. First, we have made modifications to the type theoretic for- 
malization to guarantee the program extracted from the proof is free of the 

^ Of course intuitionistic propositional logic is known to be PSPACE complete, what 
we mean here by “efficient” is that the extracted program doesn’t do unnecessary 
computation and that the program does not contain non-computational artifacts of 
the proof. 
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non-computational junk that often clutters programs extracted from construc- 
tive proofs. The methodology of using set types in place of existential quantifiers 
to generate efficient extracts has been described elsewhere [5,6]. The second dif- 
ference between the formalization presented here and that of ACU is in the proof 
type used as evidence of validity. We formalize a multi-succedent sequent cal- 
culus while ACU attepted to push the argument through for a single succedent 
calculus. Although the overall structure most of the details of the ACU proof 
survive in the version presented here, the ACU proof is incorrect. We simply re- 
mark that ACU failed to fully consider the case of reconstructing a proof object 
after the application of the tableau rule for a negatively occurring disjunction. 

2 Nuprl 

The Nuprl type theory is a sequent presentation of a constructive type theory 
via type assignment rules. The underlying programming language is untyped and 
the objective of a proof is to either prove a type is inhabited, i.e. to show that 
some term (program) is a member of the type, or to show that a term inhabits 
a particular type. A complete presentation of the type theory can be found in 
the Nuprl book [7]. 

The Nuprl system supports construction of proofs by top-down refinement. 
The prover is implemented as a tactic based prover in the style of LCF. The 
tactic language is ML. Nuprl differs from other LCF-style pro vers in that tactic 
invocations define the structure of an explicitly represented proof tree which is 
directly manipulated in the editor, stored in the Nuprl library, and retrieved 
for later editing. The Nuprl system also supports a unique and powerful display 
mechanism. Nuprl terms are edited using a structure editor; term structure is 
independent of display which is user specified. All Nuprl terms occurring in this 
paper are set in typewriter font and appear on the page as they do in the 
Nuprl editor and library. 

Complete documentation is included in the Nuprl V4.2 distribution. ^ 

2.1 Clean and Efficient Extracts 

Methods of generating efficient and readable extracts by the use of the set type 
(as opposed to the existential type) and by efficient general recursion combinators 
have been presented by the author in [5,4,6]. We reiterate the main points here. 

Inhabitants of the existential type 3x : T . P [x] are pairs <a,b> where aGT and 
bGPfa] . The term b inhabiting P[a] specifies, as far as the proofs-as-programs 
interpretation goes, how to prove P [a] . When an existential type occurs as a 
hypothesis it can be decomposed into two hypotheses, one of the form a:T and 
another asserting b : P [a] . If v is the name of the variable denoting the existential 
hypothesis, occurrences of a in the final extract appear as v. 1, and occurrences 
of b appear as v.2 (the first and second projections). 

^ The Nuprl system is freely available on the Nuprl group web pages at Cornell, 
http : //www. cs . Cornell . edu/Inf o/Projects/NuPrl/nuprl .html . 



Intuit ionisitic Tableau Extracted 



85 



Alternatively, consider the Nuprl set type {yGT|P[y]}. Its inhabitants are 
elements of type T, say a, such that P[a] holds. Thus, a set type does not carry 
the computational content associated with the logical part P [a] . Since the proof 
that P[a] holds is not witnessed by inhabitants of the set type, the fact that 
P [a] holds is not freely available in parts of a proof where it might find its way 
into an extract. When a set type occurring as a hypothesis is decomposed it 
results in two new hypotheses: one of the form a:T; and the other, a “hidden” 
hypothesis, of the form b:P[a]. The Nuprl system prevents the variable of a 
hidden hypothesis from appearing free in the extract of a proof by restrictions 
on its use. Hidden hypotheses are unhidden by the system in parts of the proof 
where no computational content is constructed. 

Although these issues may appear to be Nuprl specific technicalities, they 
arise in all constructive systems implementing the proofs-as-programs interpre- 
tation. 



2.2 Efficient Induction Schemes 

We are interested in extracting efficient programs from proofs; to do so we care- 
fully construct proofs of the induction principles to ensure their extracts are 
efficient recursion combinators. 

The Nuprl standard library includes the following type characterizing well- 
founded binary relations: 

def 

WellFnd(A;x,y .R[x;y] ) = 

VP:A ^ Prop.(Vj:A. (Vk:A. R[k; j] => P[k]) => P[jl) => Vn:A. P [n] 

Well-founded induction on the natural numbers over the ordinary less-than or- 
dering is specified by a lemma of the form WellFnd(N;x,y . x < y) . 

The following recursion scheme inhabits this type. 

AP,g. (letrec f (n) = g(n)(Ak,p. f(k))) 

Here P is a proposition (over type A), and g corresponds to the computational 
content of the induction hypothesis. In this scheme, g takes two arguments, the 
first being the principal argument on which the recursion is formed, while its sec- 
ond argument is a function inhabiting the proposition Vk:A. R[k;j]=^ P[k], 
i. e. a function which accepts some element k of type A along with evidence for 
R[k; j] and which produces evidence for P[j] . In the scheme, the evidence that 
R[k; j] holds takes the form of the argument p to the innermost A-binding. The 
variable p occurs nowhere else in the term and does not contribute to the ac- 
tual computation of P[j] ; instead it is a vestige of the typing. In the context 
of any complete proof, this argument will be a term justifying R[k; j] . In any 
program extracted from a proof using this scheme, the useless argument p must 
be supplied. This term is non-computational junk. 

As an alternative, we give the following definition of well-founded binary 
relations that hides the ordering in a set type; this type, simply called WF is 
defined as follows: 

Hpf 

WF(A;x,y .R[x; y] ) = 

VP:A ^ Prop.(Vj:A. (Vk:{k:A| R[k; j]} . P [k] ) => P[j]) => Vn:A. P [n] 
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Since the ordering relation is now hidden in the right side of a set type, it 
does not contribute to the computational content of the extracted programs. 
The recursion scheme extracted from a proof of this type is nearly identical to 
the previous one, but the extra (useless) lambda-abstraction is gone. 

AP,g. (letrec f (n) = g(n)(Ak. f(k))) 

For an arbitrary type T and a measure function p:T— )-N, following lemma 
defines an efficient measure induction principle. 

VTrType. Vp:T N. WF(T;x,y .p(x) < p(y)) 

Extraction: 

AT, p,P,g. (letrec f (n) = g(n)(Ak.f (k))) 

Note that the measure function p does not occur in the body of the extract, 
logically it belongs to the termination argument which is not part of the com- 
putational content. 

The proof of intuitionistic decidability presented below is by induction on the 
lexicographic ordering of a pair of inverse images (measures functions mapping 
systems onto the natural numbers.) This induction principle is established by 
the following lemma. 

VTiType. :T ^ N. 

WF(T;k, j .p(k) < p(j) V (p(k) = p(j) A p’(k) < p’(j))) 

Extraction: 

AT, p, p’ ,P,g. (letrec f (n) = g(n)(Aj.f j)) 

Note that the recursion combinator does not mention the measure functions. 

3 The Tableau Algorithm 

Our goal is to extract a tableau decision procedure from the formal proof. 
Tableau methods for proof search in intuitionistic logic go back to Beth [3] 
and are analyzed in detail by Fitting [11]. Roughly, tableau methods are search 
procedures that work by systematically exploring all consequences of an assump- 
tion in the search for a counter-example. For example, if a formula of the form 
P A Q is assumed to be false, then one of P or Q must also be false; the step 
of tableau development for this formula will split into two paths, one with the 
added assumption that P is false and the other with the added assumption that 
Q is false. The tableau is the tree-like structure that records the development of 
the search, keeping track in each node of those formulas assumed to true and 
those formulas assumed to be false. 

If, in the process of developing a path of the tableau, it occurs that a formula 
is assumed to be both true and false, then that path is contradictory and we say 
it is closed. If a path is developed to the point where further application of the 
tableau rules can only result in redundant nodes being added to the path, then 
we stop development and say the path is open. If all the paths developed in this 
process are closed then the initial assumption must be false and the formula is 
provable; i.e. if the initial assumption that the formula is false always leads to a 
contradiction, then the formula must be true. Using the tableau so constructed 
we construct a proof of the formula. If on the other hand some path in the 
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tableau is open, that path is interpreted as a Kripke counter-example to the 
initial formula. 

It is easy to check whether a path is closed. The complexity of the decidability 
argument arises in determining whether further development of an open path is 
redundant. Underwood [18] provided a new termination argument based on a 
lexicographic ordering of tableau systems based on two measures: 

il: bounding the number of nodes that can be added to a tableau system, and 
i2: bounding the number of formulas that can be added to any node. 

Ultimately, these measures depend on the fact that tableau construction has 
the subformula property^ i.e. in the tableau development, only subformulas of 
formulas already occurring in the tableau are ever added. 

Measures il and i2 are calculated by computing conservative upper bounds 
on the sizes of the respective structures they measure and then by taking the dif- 
ference between these bounds and the actual sizes of the objects in the tableau 
being constructed. Since nodes and systems grow during each step of tableau 
development, the difference decreases. Thus, at each step of the tableau con- 
struction process, one or the other measure decreases, which is enough to show 
termination. The bounds are never achievable in an actual tableau development 
and so we terminate the process when all nodes are completely developed and 
when the system is completely developed. 

4 Intuitionistic Proof Systems, Kripke Counter-Examples 
and Tableau Systems 

The final output of the algorithm we are interested in will either be a proof 
that the initial system is valid or a Kripke model serving as a counter-example, 
we formalize these structures now. 

4.1 Formulas and Sequents 

Propositional formulas are formalized by the following Nuprl recursive type: 

def 

Formula = rec(F.Var | Unit |FxF|FxF|FxF) 

Reading left to right, a formula is either: a variable (which is displayed as 
the constant inhabiting the type Unit which is interpreted as false and displayed 
^falsefi a pair of formulas representing a conjunction displayed as p^A^q; a pair 
of formulas, representing a disjunction displayed p^V^q); or a pair of formulas, 
representing an implication and displayed (p*^=>^q). Negation (-iP) is defined as 
(pT^1 Ffaise^) and we do not include it explicitly in our formula type; neither 
do we include an operator for equivalence. Formula is a discrete type, i.e. it is 
decidable whether two formulas are equal. 

We model the type of variables using the Nuprl Atom type; however, any dis- 
crete type may be substituted, other than this constraint, Var may be considered 
an uninterpreted type. 

The sequent type (Sequent) consists of pairs of formula fists. If S is a se- 
quent, Hyps(S) denotes the fist of formulas that are in the antecedent of S (the 



88 



James Caldwell 



hypotheses) and Concl(S) denotes the list of formulas in the succedent of S (the 
conclusions.) Sequent is a discrete type since Formula is. 

A sequent is deemed true whenever the conjunction of the antecedents implies 
the disjunction of the succedents (by convention, an empty disjunction is true 
and an empty conjunction is false.) 



4.2 Multi- Succedent Proofs 

Our proof type is based on the sequent calculus MJ presented in Figure 1. MJ 
is essentially the propositional fragment of Dragalin’s [8, pg.ll] multi-succedent 
calculus. The form of our rules differs from Dragalin’s in logically insignificant 
ways that support the use of lists instead of sets. 



M, false, A h C 



(false l) 



q, M, qVr, N h C r, M,q\/r, N h C 



M,qVr,N h C 
q, M, qAr, N \~ C 



(VO 



M,q,N M ,q,N 

H \- q,M, qVr, N 
H h M,qVr,N 

H \- r, M, qVr, N 



(Ax) 

■ (Vrl) 

■ (Vr2) 



M,qAr,N h C 
r, M, qAr, N \~ C 



(A/1) 

(A/2) 



H h M,qVr,N 
H h q, M, qAr, N H h r, M, qAr, N 



M,qAr,N h C 

M,q^r, N h q,C r, M,q^r, N h C 
M,q^r,N h C 



(^0 



H h M,qAr,N 



q,H r 
H h M,q^r,N 



(Ar) 



(^) 



Fig. 1. System MJ 

To read these rule schemas, N^C and H denote (possibly empty) formula 
lists and q and r denote individual formulas. Consider the figure for the rule 
labelled (^r), this rule characterizes the multi-conclusion intuitionistic sequent 
calculus. To derive the sequent H h M, g ^ r, A it is enough to show the 
sequent q^H h r. Note that, in distinction to the other rules, the formulas in 
the succedent of the conclusion of (^r) (formulas in the list M, A) have 

been replaced by the single formula r. 

MJ proofs are formally modeled in the Nuprl implementation in two stages. 
In the first, a recursive type of pre-proofs is defined to represent the shape (tree 
structure) of a proof. In the second stage, the type of pre- proofs is narrowed to 
include only those trees representing actual proofs. 

- def _ 

pre_proof = rec(P. Sequent 

I Sequent X Sequent X P 
I Sequent X Sequent X P X Sequent X P) 
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We display the three classes of pre_proofs as C\, C\<H,p>, and C\<H,p>,<H' ,p’> 
respectively where C, H, and H’ are sequents and p and p’ are pre- proofs. 

For a pre-proof P let Concl(P) be the sequent that is the root of the pre-proof. 
Excluding axioms, the rules of system MJ have either one or two hypotheses. 
These rule classes are characterized by two definitions, one for rules having a 
single hypothesis (proof_rulel: Vrl , Vr2 , , A/1 , and Al2 ) and another 

for rules having two hypotheses (proof _rule2: V/, Ar, and =^r). We give the 
definition of proof .rule 1 here. 

\ , . T . def 

c\h IS a rule instance = 

□a, b: Formula. 

( (a^V^b) G Concl (c) A h = <Hyps (c) ,a : : Concl(c) >) 

V ( (a^V^ b) G Concl (c) A h = <Hyps (c) ,b : : Concl(c)>) 

V ( (a^=>^b) G Concl (c) A h = <a: : Hyps (c) , b : : [] >) 

V ( (a^A^ b) G Hyps (c) A h = <a::Hyps(c), Concl(c)>) 

V ( (a^A^ b) G Hyps (c) A h = <b::Hyps(c), Concl(c)>) 

The equality used here is the type equality for sequents (defined as pairs of 
formula lists) and so order counts; this is not the semantic (permutation) equality 
on sequents. The reader can verify by inspection that these clauses match the 
appropriate rules of system MJ. 

In the second stage of modeling MJ proofs. A well-formedness predicate is 
defined to narrow the class of pre-proofs to those structures that actually model 
proofs of system MJ. For a pre-proof P we write P is a Proof if: 

i. ) its leaves are all instances of the false I rule or the Ax rule, and 

ii. ) every non- leaf node matches a conclusion of some rule instance and its chil- 

dren match the premises of that rule. 

This characterization is formalized by a recursive function we omit for lack of 
space. Thus proofs are characterized by the subtype of pre-proofs that are well 
formed. 

Proof {p:preq)roof I p is a Proof} 

A proof P proves a sequent S if Concl(P) = S. 

4.3 Kripke Counter-examples as Evidence of Unprovability 

It is a well known negative result that no finite valuation captures intuitionis- 
tic propositional logic. Thus, models for intuitionistic logic are necessarily more 
complex than models for classical logics. Following the account given by Under- 
wood in [18], we use Kripke models to witness the unprovability of a formula. This 
interpretation is not without some subtlety as Kripke models provide for classi- 
cal analyses of intuitionistic logic but are not faithful to intuitionistic semantics. 
Smorynski [17] and Dummett [9] discuss this in some detail. Never-the-less, fol- 
lowing Underwood [18, pg. 11-15], Kripke models are used here as evidence of 
unprovability. Failed tableau searches yield Kripke counter-examples. This use 
of Kripke models as counter-examples to intuitionistic provability has received 
attention elsewhere [15,13]. 
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The type of Kripke models is a dependent triple consisting of a type (of 
states), a reflexive and transitive relation on the states, and an atomic forcing 
function. 

Tr • 1 def _ _ 

Kripke = T:Type 

XR:{R:(T X T) ^ Prop | Reflexive(R) A Transitive (R) } 
x{af:T — >» Var Prop | 

Va:T. Vv:Var. af(a)(v) => (Vb:T. R(<a, b>) => af(b)(v))} 

The selectors for the three components of a Kripke model K are displayed as 
17 (K), <{K}, and K.af respectively. For states s and s' we display s<{K}s' for 
<{K}(<s,s'>). 

Truth in a Kripke model is deflned by the forcing relation. The statement 
of the main theorem requires deflnitions of both forces, and its complement not 
forces. The reader may realize that we cannot simply deflne the complemen- 
tary notion by taking the constructive negation of the deflnition of forcing. To 
avoid this problem, following a suggestion of Underwood, we deflne the forces 
and not-forces relations simultaneously by mutual recursion. Deflnition by mu- 
tual recursion is not directly supported by Nuprl tactics (although there is no 
technical reason it cannot be) and we use the pairing trick to implement it. 

<f orces ,not jforces>{K} 

(letrec f_Qf(s)(f) = 
case f : 

<K.af(s)(x), — i(K . af (s) (x) )>; 

^false^ <False, True>; 

a^A^b — > <(f_Qf (s) (a) ) . 1 A (f _af (s) (b) ) . 1 , 

(f _Qf (s) (a) ) . 2 V (f_Qf (s) (b) ) . 2>; 
a^V^b <(f_Qf (s) (a) ) . 1 V (f _af (s) (b) ) . 1 , 

(f_Qf (s) (a) ) .2 A (f_Qf (s) (b) ) .2>; 
a^^^b <Vs':I7(K). s <{K} s' ^ 

(f jif (s' ) (a)) .2 V (fjif (s' ) (b)) . 1, 

□s' :I7(K) . s <{K} s' A 

(f _Qf (s' ) (a)) . 1 A (f _Qf (s' ) (b) ) . 2>; 

) 

Using this deflnition we further deflne forces(K,S,f ) and not Jorces(K,S,f ) 
to be the first and second projections of the term <f orces,not_forces>{K}(S) (f). 



4.4 Tableau Systems 

The tree structure representing an actual tableau is never explicitly constructed 
by the program extracted from the proof presented here. Rather, the paths 
in the tableau are represented by lists of tableau nodes, these lists are called 
Systems and the overall structure of the tableau is implicit in the unfolding of 
the recursion. 

Like sequents, tableau nodes (type Node) are represented by pairs of formula 
lists. The elements in the first component of a node are those formulas assumed 
to be true, the elements in the second component are those elements assumed 
to be false. We refer to these components by writing T(N) for the true part and 




Intuit ionisitic Tableau Extracted 



91 



F(N) for the false part. Of course, Node is a discrete type, as Sequent (N) casts the 
node N to the type Sequent. 

A System is a non-empty list of nodes. 

There is a close correspondence between the steps of tableau construction 
and the proof rules of system MJ. For each proof rule there is a corresponding 
step of tableau development. For proof rules having a single premise there is a 
corresponding tableau development step in which an existing node is extended 
or, in the case of ^r, the tableau system itself is extended by the addition 
of a new node. For proof rules having two premises, the corresponding tableau 
step extends an existing node in the tableau in two different ways, invoking the 
induction hypothesis (unfolding a step of recursion) on these extended systems. 
This bifurcation of systems corresponds to a branching in the tableau structure. 
We call the tableau steps corresponding to rules other than the rule local 
rules, as they only extend existing nodes. 

When a node has been developed as far as possible under the local rules we 
say it is node complete (we write nComplete(N) .) The type of eligible systems 
(ESystem) are those systems restricted to contain at most one member that is 
not node complete. Tableau systems containing all possible node extensions in- 
duced by occurrences of are called system complete] for a system S we write 
sComplete(S) to indicate S is system complete. 

In the case of a failed tableau search, culminating in a system S, the corre- 
sponding Kripke structure K(S) will serve as the counter-example. Eventually, 
we are interested in viewing tableau systems as Kripke structures. The following 
function serves to map systems into a triple which is a Kripke model. 

K(S) <{N:Node| NGS} , A<n,m> .T(n) CT(m) , AN,x.VgT(N)> 

Thus, under the interpretation, states of the corresponding Kripke model consist 
of the type whose members are those nodes in the system. The ordering on pairs 
of nodes is defined by sublist inclusion on the formulas assumed to be true in 
the nodes. The atomic forcing function for a state N and a variable x is defined 
by membership of the atomic formula ^x^ among formulas assumed true at N. 
That systems do indeed map to Kripke models under K is established by a well- 
formedness theorem for K. 

5 Intuitionistic Decidability 

A proof of a constructive disjunction (P V Q) must indicate which of P or 
Q was proved and also must give evidence for its truth. Thus, if intuitionistic 
decidability is stated as follows: 

VS: Sequent. (3p: Proof, p proves S) V (3c : counter_example . c refutes S) 

the resulting computational content is a function that takes a sequent as input 
and which either returns evidence for its validity or returns a counter-example. 

We do not prove this theorem directly, but instead prove a more general 
theorem having the structure to support an inductive proof. The more general 
theorem does not apply directly to formulas, but applies to systems (lists of 
tableau nodes) satisfying the eligibility condition of being members of the type 
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ESystem. Evidence for the provability of an ESystem takes the form of a formal 
proof in the sequent calculus MJ. Evidence for its absurdity takes the form of a 
Kripke counter-example. Formally stated, the theorem we eventually prove here 
is the following: 

Vs : ESystem 

(3N:{N:Node| NGS} . {p: Proof | p proves asSequent (N) } ) 

V {K: Kripke I 3f:Node X'(K) 

VN:{N:Node| NGS} 

VFiFormula. (FG(T(N)) ^ forces(K,f N,F)) 

A (FG(F(N)) ^ not_forces(K,f N,F))} 

To decide a formula </>, we will apply the computational content of this more 
general theorem to an eligible system containing a single node in which (p is 
assumed to be false. Should (p turn out to be provable, the result is a pair 
consisting of a tableau node and a proof of that node regarded as a sequent. 
Since the computational content of the theorem is intended to be applied to 
systems consisting of single nodes which contain a single formula, this evidently 
corresponds to a proof of the sequent <[],[</>]>. Should <p turn out not to be 
provable, the result is a Kripke counter-example. Kripke counter-examples here 
take the form of Kripke models defined over tableau nodes NGS such that every 
formula in the true portion of the node (t(N)) is forced and every element in 
the false portion of the node (f(N)) is not forced. Since we will be applying the 
extracted program to initial systems consisting of a single nodes containing a 
single formula assumed to be false, the formula is not forced in the resulting 
Kripke model and so it serves as a counter-example. 

5.1 The Proof 

The proof of the theorem stated above is by induction on eligible systems, i.e. 
on systems having at most one node that is not node complete. The induction 
principle is the lexicographic measure induction presented above in Section 2.2. 
We apply it here using the measure functions il and i2 defined above in Sec- 
tion 3. Recall that the first measure decreases with every node added to the 
system while the second decreases as formulas are added to the eligible node. 

After inducting on the eligible system S we are left with the following Nuprl 
state. 

1. S: ESystem 

2. Vk: {k: ESystem I k < S} 

(3N:{N:Node| NGk} . {p: Proof | p proves asSequent (N) }) 

V {K: Kripke I 3g:Node (K) 

VN:{N:Node| NGk} 

VfrFormula. (fG(T(N)) => forces(K,g(N) ,f ) ) 

A (fG(F(N)) => not Jorces(K,g(N) ,f ) ) } 
h (3N:{N:Node| NGS} . {p: Proof | p proves asSequent (N) }) 

V {K: Kripke I 3g:Node 17 (K) 

VN:{N:Node| NGS} 

VfrFormula. (fG(T(N)) => forces(K,g(N) ,f )) 

A (fG(F(N)) => not jforces(K,g(N) ,f )) } 
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Thus, we may assume (by hypothesis 2) that there is either a proof or a Kripke 
counter example for eligible systems lexicographically below S. The recursive 
structure (the outermost letrec) of the extracted program (see Fig. 2) arises 
from this step of induction. 

Consider the eligible system S decalred in hypothesis 1 above; either all nodes 
in S are node complete or not. This property is decidable and appears in the 
extracted program as the first if-then-else clause. 

Consider the else case first, i.e. there exists some node N in S that is not 
node complete (-inComplete(N) ). Since eligible nodes are expanded in place by 
adding sub formulas of formulas already occurring in S, the tableau expansion 
steps for these rules reduce the measure i2. The proof rules Vrl, Vr2, A/1, and 
f\l2 correspond to local tableau steps and all have one premise. In these cases, 
the induction hypothesis is instantiated with the system constructed from S by 
extending the eligible node with subformulas as specified by the corresponding 
proof rule. The proof rules V/, Ar, and ^ I all have two premises and so we 
instantiate two copies of the induction hypothesis; one with the system con- 
structed by expanding the eligible node with the subformulas specified in the 
left premise of the corresponding proof rule; and the other with a system cre- 
ated by expanding the eligible node by adding subformulas as specified by the 
right premise of the corresponding rule. In each case, the result of instantiating 
the induction hypothesis is a new hypothesis asserting the existence of a node- 
proof pair system or a Kripke counter-example for the extended (and therefore 
lexicographically smaller) system. Whenever a Kripke counter-example exists, 
it serves to refute the S as well. In the case a node-proof pair results from the 
instantiated induction hypotheses, they are used to identify a node in S and 
to construct a proof for it. Instantiations of the induction hyptothesis in the 
proof generates a recursive call to the tableau procedure in the extract (Fig. 2). 
The computations corresponding to the seven local rules can be identified in the 
extract. 

Suppose instead that there is no eligible node in S (this is the then- clause 
of the outermost if-then-else in the extracted program.) Either the system is 
system complete (sComplete(S) ) or not. If it is not system complete then there 
is some node containing an occurrence of (say of the form which 

has not been accounted for in S, call this node N. In this case, decompose the 
induction hypothesis with the system constructed by extending S with a new 
node constructed from N which accounts for the application of the rule. 

This new node is constructed by replacing F(N) with the single formula Q and 
by adding the formula P to the formulas in T(N) . This extended system is 
lower in the lexicographic ordering of systems since the measure il is reduced 
whenever a node is added to S. As above, the instantiation of the induction 
hypothesis results in a recursive call to the tableau procedure in the extracted 
program, which returns either a node-proof pair or a Kripke counter-example 
for the expanded system. 

Finally, if all nodes are complete and the system is complete, then we are in 
the base case where one of a node-proof pair or a Kripke counter example is con- 
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structed directly without reference to the induction hypothesis. This is accounted 
for in the extract by a call to the extract of the lemma (decidability_base): 

Vs : ESystem 

sComplete(S) 

=> VNGS . nComplete (N) 

=> (3N:{N:Node| NGS} . {p: Proof | p proves asSequent (N) }) 

V {K:Kripke| 3g:Node U (.K) 

VN:{N:Node| NGS} 

VfrFormula. (fG(T(N)) => f orces (K ,g(N) , f ) ) 

A (fG(F(N)) => not_forces(K,g(N) ,f ) ) } 

If the system contains a node that, viewed as a sequent, is an instance of an 
axiom, then that node is returned paired with the instance of the axiom rule. If 
not, then a Kripke counter-model is constructed by applying the function K to 
the system (defined above in Section 4.4.) 

This completes the proof of decidability in the intuitionistic case. 



5.2 Remarks on the Extract 

Figure 2 exhibits the extracted decision procedure. The program shown there 
has been symbolically transformed within Nuprl using the direct computation 
system to eliminate some unnecessary steps of computation. This mostly entails 
/^-reducing occurrences of applications of the identity function. These transfor- 
mations are entirely formal and since, by the semantics of Nuprl, direct compu- 
tation is allowed anywhere within a term, they do not change the meaning of the 
program. The program has further been hand edited to format it and to rename 
unreadable system generated variable names. This is only for display. 

6 Future Work 

Study of the extracted program reveals that there is room for the introduction 
of abstractions which would both make the extracted program clearer and would 
result in a shorter proof. This process of tuning a proof by examination of the 
extract and of tuning the extract by studying the proof is an interesting part of 
the methodology of using a constructive system like Nuprl. 

Integrating of the extracted decider for intuitionistic propositions into Nuprl 
is an immediate goal. However, if we are to preserve Nuprl’ s program extraction 
capabilities, this poses some problems. Nuprl’s proof system is a single succedent 
sequent calculus. To repair the error in the ACU proof we have resorted to a 
multi- succedent calculus. Egly and Schmidtt [10] give cut-free translations of 
multi- succedent proofs into single succedent proofs which preserve reasonable 
extracts. 

The program extracted here can easily be translated into ML and used as 
part of a tactic to decide propositional fragments of Nuprl’s type theory. The 
resulting tactic would fail, returning the Kripke model as evidence against the 
validity of a formula should it turn out not to be valid; alternatively, it would use 
the formal proof returned by the decision procedure, in concert with the Egly 
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letrec tableau(S) = 

if VN^S.nComplete(N) then 
if sComplete(S) then 

ext {decidability_base} (S) (•)(•) 
else let <N,a,b,mp,_> = (ext{not^ystem_complete} (S) (•)) in 
case tableau(<a: :T(N) , b::[]>::S) 
of inl(<Nl,pl>) => 

inl(if (N1 = <a::T(N), b::[]>) 
then <M, let <p’,^ = 

(ext{imp_right_proof } 

(N) (a) (b) (mp) (pi) (Ax)) inp’> 
else <M1, pl>) 

I inr(K) => inr(K) 

else 

let <N,t> = (3N:{N:Node I N^S}. -incomplete (N) ) 

let <a,b,opHtype> = (ext{notBnode«complete} (N) (t)) in 
case op_type of inl(<_,V14>) => case V14 
of inl(_) => 

case tableau(<a: :T(N) , F (N)> : :remove(N; S) ) 
of inl(<Nl,pl>) => 

inl(if (N1 = <a::T(N), F(N)>) 

then <N, mk^roof (N, <N1 ,pl>)> 
else <N1, pl>) 

I inr(K) => inr(K) 

I inr(.) => 

case tableau(<b: :T(N) , F (N)> : :remove(N; S) ) 
of inl(<Nl,pl>) => 

inl(if (N1 = <b::T(N), F(N)>) 

then <N, mk_proof (N, <N1 ,pl>)> 
else <N1, pl>) 

I inr(K) => inr K 
I inr(V13) => case V13 
of inl(_) => 

case tableau(<a: :T(N) , F (N)> : :remove(N; S) ) 
of inl(<Nl,pl>) => 

if (N1 = <a::T(N), F(N)>) then 

case tableau(<b: :T(N) , F(N)> : :remove(N; S) ) 
of inl(<N2,p2>) => 

inl(if (N2 = <b::T(N), F(N)>) 

then <N, mk^roof (N, <N1 ,pl> , <N2 ,p2>) > 
else <N2, p2>) 

I inr(K) => inr(K) 
else inl(<Nl, pl>) 

I inr(K) => inr(K) 



I inr(V15) => case V15 
of inl(_) => 

case tableau(<b: :T(N) ,F(N)>: :remove(N;S)) 
of inl(<Nl,pl>) => 

if (N1 = <b::T(N), F(N)>) then 

case tableau(<T(N) , a: :F(N)> : :remove(N; S) ) 
of inl(<N2,p2>) => 

inl(if (N2 = <T(N), a: :F(M)>) 

then <N, mk.proof (N, <N1 ,pl> , <N2 ,p2>) > 
else <N2, p2>) 

I inr(K) => inr(K) 
else inl(<Nl, N2>) 

I inr(K) => inr(K) 

I inr(V17) => case V17 
of inl(_) => 

case tableau(<T(N) , b: :F(N)> : :remove(N; S) ) 
of inl(<Nl,pl>) => 

if (N1 = <T(N), b::F(N)>) then 

case tableau(<T(N) , a: :F(N)> : :remove(N; S) ) 
of inl(<N2,p2>) => 

inl(if (N2 = <T(N), a::F(N)>) 

then <N, mk^roof (N, <N2,p2> , <N1 ,pl>) > 
else <N2, p2>) 

I inr(K) => inr(K) 
else inl(<Nl, pl>) 

I inr(K) => inr(K) 

I inr(V19) => let <_,V21> = V19 in 
case V21 
of inl(_) => 
case 

tableau(<T(N) , a: :F(N)>: :remove(N;S)) 
of inl(<Nl,pl>) => 

inl(if (N1 = <T(N), a: :F(N)>) 
then <N, mk_proof (N,<Nl,pl>)> 
else <N1, pl>) 

I inr(K) => inr(K) 

I inr(_) => 

case tableau ( <T (N) , b: :F(N)> : :remove(N; S) ) 
of inl(<Nl,pl>) => 

inl(if (N1 = <T(N), b::F(N)>) 

then <N, mk^roof (N,<Nl,pl>)> 
else <N1, pl>) 

I inr(K) => inr(K) 



Fig. 2. The extract of the deci diability proof 



and Schmidtt procedure, to construct a Nuprl tactic, which it could then apply 
to discharge the goal. 

Another line of development that needs to be explored is the reflection of 
this decision procedure into Nuprl. Reflection [2,1] was the motivation for the 
proof outlined in [1]. 
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Abstract. We extend the unquantified set-theoretic fragment discussed 
in [1] with a restricted form of quantification, we prove decidability of 
the resulting fragment by means of a tableau calculus and we address 
the efficiency problem of the underlying decision procedure, by showing 
that the model-checking steps used in [1] are not necessary. 



1 Introduction 

In Computable Set Theory^ a “core” decidable fragment is Multi-Level Syllogis- 
tic (in short MLS), namely the unquantified set-theory involving the constant 
0 (empty set), the operators U (union), H (intersection) and \ (set difference), 
and the predicates G (membership), = (equality) and C (set inclusion). Its sat- 
isfiability decision problem was first solved in [7], the paper which started the 
research field of computable set theory. 

Several extensions of MLS were proved decidable, among them Multi-Level 
Syllogistic with Singleton (in short MLSS), which extends MLS with the single- 
ton operator {•}. A decision procedure for MLSS was first stated as a tableau 
calculus in [4]. However, it was not until 1997 that the problem of efficiently 
deciding fragments of set-theory was seriously tackled, when a fast saturation 
strategy based on interleaving model-checking steps with saturation ones was 
introduced in [3] for a tableau calculus for MLSS. 

In [1] another tableau calculus for MLSS, still based on the model- checking 
approach, was presented where formulae do not need to be expressed in a nor- 
malized form, in contrast to [3], where formulae need a preprocessing normaliza- 
tion phase. The same paper presented also a complete tableau calculus for the 

* This work has been partially supported by the C.N.R. of Italy, coordinated project 
SETA, by M.U.R.S.T. Project “Tecniche speciali per la specifica, hanalisi, la verifica, 
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Theory: A Tool for Software Verification” under the 1999 Vigoni Program. 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 97-112, 1999. 
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fragment MLSSF, resulting from the extension of MLSS with uninterpreted 
function symbols. However, the tableau calculus for MLSSF presented in [1] is 
not a decision procedure, though a promising optimization based on the concept 
of rigid ^'-unification was given. 

Recently, in [5] we have proposed a more efficient strategy which does not 
require the mo del- checking steps, though limited to the fragment MLSS. In this 
paper we apply and further improve the same idea of [5] to the larger fragment 
MLSSF^, which is obtained by extending MLSSF with a restricted form of 
quantification. In contrast with [1], we not only provide a sound and complete 
tableau calculus for MLSSF^, but even a practical saturation strategy which is 
guaranteed to terminate. 

MLSSF^ is related to the theory presented in [2]. However, the decision 
procedure described there, which is not stated as a tableau calculus, is highly 
non-deterministic and not suitable for automation. 

The paper is organized as follows. In Section 2 we introduce the syntax and 
semantics of MLSSF^ and we give also some examples to illustrate its expressive 
power. In Section 3 we present a tableau calculus for MLSSF^ and introduce 
some restrictions to the applicability of some of its rules to enforce termina- 
tion. Soundness and completeness of the MLSSF^-tableau calculus is proved in 
Section 4. In Section 5 we discuss some optimizations of the MLSSF^-tableau 
calculus and make comparisons with those presented in [1] and [3]. Finally, in 
Section 6 we hint at some directions for future research. 



2 Syntax and Semantics 



The basic elements of the language of MLSSF^ are: 



— denumerable many variables, denumerable many uninterpreted constants, 
and denumerable many uninterpreted unary function symbols; 

— the interpreted constant (empty set), and the interpreted function sym- 
bols U (union), □ (intersection), — (set difference) and [#] (singleton); 

— the interpreted predicate symbols — (membership) and (equality); 

— the logical connectives ^ and A;^ 

— the universal quantifier symbol V. 

To simplify notation, we use the abbreviations s -/- t and s ^ t to denote 
^{s — f?) and ^ respectively. 

Next we define the fragment MLSSF^. 



^ In our treatment, is considered to be a syntactic variation of p. 



A Tableau-Based Decision Procedure 



99 



Definition 1* An MLSSF^-/ormi//a (~p is a logical formula in the language 
MJjSSF^ such that each subformula of cp of type — t : has a positive 

polarity^ and moreover satisfies the following technical conditions: 

(A) t is ground, and 

(B) the variable x cannot be a proper subterm of a term t' in ^ such that 

# t' involves some interpreted symbols, or 

# t' occurs on the left-hand side of a membership literal. 

Thus, for instance, if and t are ground terms, then \/x — t \ f{x) ^ $ and 
s ^ t are MLSSF^-formulae, whereas \/x — t \ [x] ^ s, \/x — t \ f[x) — s, 
and \/x — t : \/y — X : (f are not MLSSF^-formulae. It is to be noticed that 
the decision problem for the fragment obtained from MLSSF^ by dropping 
technical conditions (A) and (B) is still open. 

Definition 2* The degree of an MJLSSF^ -formula is the number of symbols 
occurring in it. 

Semantics of MLSSF^ is based upon the von Neumann standard cumulative 
hierarchy V of sets defined by: 

Vo = 0 

Va+i = V{Va) j for each ordinal a 
Va = U^<A^M > each limit ordinal A 

where V{S) is the power set of S and O denotes the class of all ordinals. It can 
easily be seen that there can be no membership cycle in V, namely sets in V are 
well-founded with respect to the membership relation. 

Definition 3. A set model M interprets each constant c with a set in V, 
and each function symbol f with a function f^ :V^V. 

An MJLSSF^ -formula cp is said to be SATISFIABLE if there exists a set model 
M such that, after interpreting the interpreted symbols occurring in an p ac- 
cording to their standard meaning^ and the uninterpreted ones according to M 
one obtains the truth-value true. We write M \= p to say that the set model M 
satisfies p. 



2.1 Expressivity of MLSSF -formulae 

A variety of interesting set-theoretic constructs can be expressed by means of 
MLSSF^-formulae. Here we list some of them. 

^ We recall that a subformula A of a formula F has a positive (resp. negative) polarity 
if it occurs within an even (resp. odd) number of negation symbols 
^ Thus, for instance, U, n, — , [•], — , and are interpreted as the set operators U, D, 
\, {•}, and as the set predicates G and =, respectively. 
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— [xi, * * * , Xn] =Def [^i] U , , , U [xn] (finite enumeration); 

— the inclusion relation s Q t can be expressed both by s \J t ^ t and by 
Vx — s : X — but the latter is preferable for efficiency reasons, since it 
does not introduce new terms; 

— the comprehension schema [x — t:F{ x)\ can be expressed by means 
of the MLSSF^-formula 

(Vx — c: {x — t f\ P{x))) A (Vx — t : {P{x) ^ x — c)) , 

provided that t is ground and x is not used to form compound terms in 
p{ x), with the only exceptions allowed by Definition 1; 

— some important function related constructs can be expressed: 

# injective{f^t) — t : V ^2 — t : (f{xi) ^ f{x 2 ) xi ^ X 2 ) 

(the restriction of / to t is injective); 

# identity{f^t) =]jef^x — t : f{x) ^ x (the restrictions of / to t is 
the identity function over t); 

# idempotent{f ^t) — t : f{f{x)) ^ f{x) (the restriction of / 

to t is idempotent); 

# equal{f,^ g,^t) — t : f{x) ^ g{x) (the restrictions of / and g 

to t are equal); 

# composition{f\ g^h^t) — t : f{g{x)) ^ h{x) [h is equal to 

the function composition of / and g^ when restricted to t); 

# left-inverse{f\ g =uef\lx — t : g{f{x)) ^ x {g is a. left- inverse of 
/, relative to t); 

— by using Kuratowski’s order pair (a, 6) =Def [[^^]? one can also ex- 

press functions with multiple arguments; for instance, /(a, b) could be 
considered as a shorthand for /([[a], [a, 6]]). 

It is to be noted, though, that the theory MLSSF^ is not expressive enough 
to force infinite models. This will follow as a by-product of the completeness 
proof. 

Finally, we conclude by pointing out that in contrast to the language studied 
in [2], though the MLSSF^-language does not deal currently with the inter- 
preted constants N and O (respectively the set of natural numbers and the class 
of all ordinals), on the other hand it allows, as shown above, to express pred- 
icates related to functions (such as idempotent^ composition^ and left-inverse) 
which are not expressible in [2]. 

3 The Tableau Calculus 

The rules of the tableau calculus for MLSSF^ are listed in Table 3. 

Next we define how to construct MLSSF^-tableaux. 

Definition 4. Let ip he an MLSSF^ -formula. An initial tableau for p is a 
tree with only one node labeled with p. 

An MLSSF^-tableau for p is a tableau labeled with MAjSSF"^ - formulae, 
which can he constructed from an initial tableau for p by a finite number of 
applications of rules (1)-(18) in Table 3. 
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( 1 ) 



S — ti 
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S — t2 
S —tiVM2 



( 3 ) 
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S — ti 

S t2 
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C — t2 



(13)‘ 



A'lp 



(16) 



S — tl 

s — t 2 
s — tl nt 2 
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s ^ t 

51 — t 

5 2 t 
Si ^ 52 



(8) 



( 11 ) 
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(14) 
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(17) 
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S — tl 
S t,2 



(6) 



t - [ 1 ] 



tl t2 



( 9 ) 



/(ll) « f{t2) 



( 12 ) 



s ^tys ^ t 
s — t 

\/x — t : ^ 

~s 



(15) 



(18) 



“ denotes the literal obtained from I by substituting each occurrence of 5 in £ 
with t. 

^ c is a new uninterpreted constant not occurring in the branch to which the rule 
is applied 



Table 1. Tableau calculus for MLSSF^ 



Closure conditions must take into account also the semantics of set theory, 
as the following definition indicates. 

Definition 5. A branch of an MJjSSF^ - tableau is closed if it contains two com- 
plementary formulae tp, or a membership cycle of the form to — t\ — ... — 
to, or a literal of the form t ^ t, or a literal of the form s — . 

A tableau is CLOSED if all its branches are closed. 

Notice that tableau rules (10) and (12), in combination with the fact that a 
branch containing the term t^ t\s closed, are used to compute the congruence 
closure of the equality relation between the terms occurring in the branch. 
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3.1 Ensuring Termination 

In order to force termination, some restrictions need to be imposed on the ap- 
plicability of the rules in Table 3 during the construction of an MLSSF^-tableau. 

Given an MLSSF^-tableau T for a formula we make use of the following 
notation: 

— 7^ denotes the collection of ground terms occurring in 

— 7^^ 3 ^ (resp. 7^18)) denotes the collection of ground terms introduced on 
the branch d of T by applications of rule (13) (resp. (18)). 

We require that an MLSSF^-tableau is constructed according to the follow- 
ing restrictions. 

Rl. No new term can be created by applications of any rule other than (13) 
or (18). Thus, for instance, rule (2) can be applied to a branch d of a 
tableau only if the term t\ U i .2 occurs already in 0 (not necessarily as 
a top-level term). Notice also that, by definition of MLSSF^-formulae, 
only terms of the form /i(* * * /n(c) ^ ^ 0^ with c an uninterpreted constant, 
can be created by rule (18). 

R2. In rule (10), £ stands for a literal, and the substituted term is restricted 
to be a top-level term occurring in £. 

R3. Rule (13) can be applied only if the terms are in 7^, and at most 
once for each such pair of terms. 

R4. The cut rule (14) can be applied to the pair of terms and t only if for 
some term the literal s — t' and one of the two terms t' \lt and f — t 
occur in the branch to which the rule is applied. 

R5. The cut rule (15) can be applied only to pairs of terms 5 and t such that 
both f{s) and f{t) occur in the branch to which the rule is applied, for 
some function symbol /. 

R6. Rule (18) can be applied to pairs of formulae s — t and \fx — t : 
occurring in a branch d, provided that the term is in 7^ 



Definition 6. A branch of an MJjSSF^ - tableau is said to be SATURATED if no 
application of any rule subject to restrictions R1-R6 can add new formulae to it. 



3.2 Examples 

Example 1. Figure 1 shows a proof of the unsatisfiability of the following 
MLSSF^-formula (Vx — d — {aUh) : f{c U ) — f{x)) A (c — (d — a) □ (d — b)) 
in the form of a closed tableau. Notice that x is the only variable in (^, whereas 
a, 5, c and d are constants. 

We denote with (pi the formula labeling node i, and provide justifications for 
the construction of the tableau in Figure 1. 
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0 : (Vx — d — (aUb) : /(c U )) A (c — (d — a) □ (d — b)) 
1 : Vx — d — (a U 6) : /(c U ) — /(x) 



2 : 


c — {d — 


a) n (d 


-b) 












3 : c — 


d — a 














4 : c — 


d-b 














5 : c 


-d 














6 : c 


-f- <x 














7: c 


















11 : 


\ C Qj 


u . 


h 










12 : c 


-d- 


(a 1 


J6) 










13:/( 


cU ) 




/(c) 






14 : c« 


cU 






17 : cf 


^ c U 




15 : /(c) « 


/(cU ) 


18 : 


w — c 






21 : tc / c 


16 : /(c) 


- /(c) 


19 : w 


/ cU 






22:w ■ 


- cU 


_L 




20 : w 


- c U 




23 


\ w — c 


24 : tc — 








T 






T 


T 



8 : c — a U 6 



9 : c — a 
T 



10 : c - 6 

T 



Fig. 1. A tableau proof 



— ipi and if 2 are obtained from (^o by means of rule (16); 

— (^3 and (^4 are obtained from (^2 by means of rule (4); 

“ ^5) ^6 and (^7 are obtained from and (^4 by applying twice rule (6); 

— (^8 and (All are obtained by an application of the cut rule (14), according 
to restriction R4; 

— (A9 and (^lo are obtained from (^s by means of rule (1); the resulting 
branches are closed because they contain complementary literals; 

— (Ai2 is obtained from (^5 and (^ii by means of rule (7); 

— (Ai3 is obtained from (^i and (^i2 by means of rule (18); 

— (Ai4 and (^ir are obtained by an application of the cut rule (15), according 
to restriction R5; 

— (Ai5 is obtained from (^i4 by means of rule (12); 

— (Ai6 is obtained from (^15 by means of rule (10); the branch is closed for 
a membership cycle; 

“ ^18) ^19) ^21 and (A22 are obtained from (^17 by means of rule (13); 

— (A20 is obtained from (^is by means of rule (2); the branch is closed because 
it contains two complementary literals; 

— (A23 and (A24 are obtained from (^22 by means of rule (1); the left branch 

is closed because it contains two complementary literals, while the right 
one contains the contradiction d — . 



Example 2. Figure 2 shows a tableau for the satisfiable formula (Vx — a : x — 
a U /(a)) A (a a U f{a)). 
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0 : (Vx — a: X — aU / (a)) A (a 96 a U / (a)) 
1 : (Vx — a : X — a U /(a)) 

2 : (a 96 a U /(a)) 



CO 

1 


6 : tc / a 


4 : tc / a U / (a) 


7 \ w — aU /(a) 


5 : tc — a U / (a) 


00 

1 


9 : ui - /(a) 


T 


T 





Fig. 2. A non-closed saturated tableau 



The deductions can be justified as follows: 

— (Ai and (^2 are obtained from (^o by means of rule (16); 

“ ^3) ^4) ^6 and (^7 are obtained from cp 2 by means of rule (13); 

— (^5 is obtained from cpi and cps by means of rule (18). The branch is closed 
because it contains two complementary literals; 

— ips and ipg are obtained from tpr by means of rule (1). The left branch is 
closed because it contains two complementary literals. 

We do not yet have all the tools needed to extract a model for cp from the non- 
closed and saturated rightmost branch in Figure 2, and therefore we postpone 
this task to the next section. 

4 Proof of Correctness 

Our main claim in the present section is that the tableau rules presented in 
Table 3, together with a strict saturation strategy restricted only by rules Rl- 
R6 of Section 3.1, constitute a decision procedure for the theory MLSSF^. In 
order to do so, we need to show termination of any saturation strategy subject to 
restrictions R1-R6 and prove that the tableau calculus for the theory MLSSF^ 
is sound and complete (even in presence of restrictions R1-R6). 



4.1 Termination 

Termination is based on the following elementary lemma, whose proof is omitted 
for brevity. 

Lemma 1. Let T be a finite collection of ground terms and n G N. Then the 
number of M.'LSSF'^ -formulae of degree less than or equal to n whieh ean be 
construeted using only terms in T is finite (up to renaming of bound variables). 

Now, let (p be an MLS SF^- formula having degree n. Also, let T be the 
tableau limit for p constructed by means of rules (1)-(18) of Table 3, subject 
to restrictions R1-R6. If T were infinite, then, by Konig’s lemma, it would 
have an infinite branch 0. In view of the preceding lemma, in order to reach a 
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contradiction it is then enough to show that the number of terms occurring in d 
is finite, since all formulae occurring in d must have degree less than or equal to 
n. Indeed, terms occurring in 0 can be partitioned into the classes 7^, and 

which have been defined in Section 3.1. Clearly 7^ is finite. Also, |7^i3)| is 
bounded by |7^P, in view of restriction R3. Finally, restriction R6 implies that 
only terms in 7^ U “used” in applications of rule (18), implying that 

even T^ig) must be finite. 

Thus, we have proved 

Lemma 2. For any 'M.'LSSF^ -formula it is possible to construct in a finite 

number of steps a saturated tableau for cp. 

4.2 Soundness 

Soundness of the MLSSF^-calculus follows immediately by inspection of the 
rules in Table 3 and by observing that all closure conditions fisted in Definition 5 
are indeed unsatisfiable. Hence we have the following result 

Lemma 3. If an MJjSSF^ - formula has a closed tableau then it is unsatisfiable. 



4.3 Completeness 

As a technical tool we need to define the concept of realization, which will be 
used later to construct models satisfying open and saturated branches. 

Definition 7. The realization of a directed acyclic graph Q = (A", — ) relative 
to a family of sets {up : p G A} and to a bipartition (A, T) of N is the function 
H : N ^ V recursively defined by: 

Rp = {Rs : s — p} U {up} for p in P 
Rt = {Rs : s — t} for t in T 



Remark 1. Notice that if the Up’s, for p ^ P, are pairwise distinct elements 
chosen in such a way that Up ^ Rt, for all p in P and t in P UT, then one has 
readily that Rp ^ Rt, for all p in P and t in P UT. 

Next we define the function h : N ^ N (called the height), by putting: 



h{t) = 



0 if s / for all s G 

max{/i(s) : s — t} 1 otherwise. 

The following lemma states the main properties of realizations. 



Lemma 4. Let G = (P U T, — ) be a directed acyclic graph, with P Ci T = 0. 
Also, let {up : p e P} and R be respectively a family of sets and the realization 
of G relative to {up : p e P} and (P/i ). Assume also that Up ^ Rt, for all p in 
P and t in P [JT. Then the following properties hold: 
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(i) ifs — t then h{s) < h(t), for all s^t in PuT; 

(ii) if Rti = Rt 2 then h{ti) = h{t 2 ), for all tip 2 in P VJ T; 

(Hi) if Rs G Rt then h{$) < h{t), for all sp. in P UT. 

In our proof of completeness, we also rely on the following notation and 
terminology. 

Definition 8. To any open branch 0 of a tableau T for an MJjSSF^ - formula 
ip, we associate the following objectsP 

Tip: the collection of all ground terms occurring in ip; 

T^is)- ^he collection of all ground terms introduced on the branch 0 of T by 
applications of rule (13); 

T^i^y. the collection of all ground terms introduced on the branch 0 of T by 
applications of rule (18); 

Pe: the collection T^is) U 

P^: the collection {t ^ Pq there is no t' in Tip such that t ^ if occurs in 0}; 

Tf: the set 7^ U (P^ \ Pq); 

Qq: the oriented graph {P( U 7^', — ), where s — t if and only if the literal s — t 
occurs in 0; 

Rq: a realization of Gq relative to the bipartition {P(,Tf) and to sets Ut, for 
t e Pq, each satisfying the requirements that ut p R[, for all t in P^ and 
t' in Pq U Tf, and that ut^ = ut^ if and only if the literal ^ i .2 occurs 
in 0;^ 

M$: the set model defined by Mec = Rqc, for each uninterpreted constant 
c, and f^{a) = {Res : — f{t) is in 0, for some term t such that 

RqI = a} U {uf{t) • Ret = ci. and f(t) G P(}, for each uninterpreted 
function symbol f and for each a in V. 

Definition 9. Given a branch 0 of a tableau for (p, the realization Rq is said to 
be COHERENT if Ret = Met, for all t in Pel) Tcp. 

Before entering into the details of the completeness proof, let us return to 
Example 2. 

Example 2 (contd.). Let 0 be the rightmost branch of the tableau shown in 
Figure 2. Since 0 is open and saturated, it is possible to construct all the objects 
of Definition 8. In particular, we have P( = {w } and Tg = {a, f{a), a U /(a)}. 
Then, chosen an opportune set we can construct Re and Me: 



R$w = {uyj} Mew = Rew = 

Rea = 0 Mea = Rew = 0 

^eif{a)) = {Rew} = \ if ^ = 0 

Re{a\J f(a)) = {Rew} = {{uyj}} ^ |^0 otherwise 

^ For completeness, we repeat here also the definitions of 7^, 7(i3), and 7(ig) which 
were given at the beginning of Section 3.1. 

^ It can easily be shown that it is always possible to choose such uds. 



A Tableau-Based Decision Procedure 



107 



It can easily be checked that Re is coherent and that Me |= 0 . This fact is not 
incidental: indeed we are going to prove that if ^ is any open and saturated 
branch of an MLSSF^-tableau, then the set model is coherent and 

satisfies 

Returning to the completeness proof, let be an MLSSF^-formula, and 
let T be a saturated tableau for it. If T is closed, we have already observed in 
Section 4.2 that must be unsat isfiable. So let us assume that T is not closed. 
Hence it must contain an open and saturated branch d. To prove completeness, 
it is enough to show that must be satisfiable. In fact, we will show that the 
assignment Me must satisfy the open branch 0 . 

The following lemma can be proved by induction on the number of applica- 
tions of rules ( 1 )-( 18 ) in Table 3 . 

Lemma 5 . If a literal s — t occurs in a branch 0 and s is a term in then 

there exists a term s' in RpU the literal s ^ s' is in 0 . 

We first show in the following lemma that the realization Re models cor- 
rectly all literals in an open and saturated branch d, provided that terms are 
just considered as “complex names” for constants (namely operators are not 
interpreted). 

Lemma 6. Let 0 be an open and saturated branch in a tableau for tp. Then: 

(i) if s — t occurs in 0 , then Res G Ret; 

(a) ifti ^ t2 occurs in 0 , then ReR = RM2; 

(in) ifti ^ t2 occurs in 0 , then ReR 7^ Ret2i 

(iv) if s t occurs in 0 , then Res ^ Ret. 

Proof. (i) Immediate. 

(ii) Let ti ^ t2 but ReR 7^ Ret2 and without loss of generality suppose that 
there is some a such that a G Reti and a ^ Ret2> If ^ R'e might 
be the case that a = and, by construction of Re, ^2 would be in 
and ut^ = Ut2 in Ret2- If instead that is not the case, or if t\ is in Tf, 
then there exists an s such that Res = a and s — t± occurs in 0 . Since 0 
is saturated, s — t2 must also occur in 0 , and by (i) a = Res e RM2, a 
contradiction. 

(iii) Let t\ ^ t2 be in 0 but ReP = Ret2- Without loss of generality we 

can assume that tip2 ^ 7^, because otherwise 0 would contain a literal 
t'^ 7^ t'2 with t'^, t'2 in Rp and such that t\ 'ss t'^ and ^2 ^ ^2 ^5 then 

t'^ ^ t'2 could play the role of ^ ^2 in the following discussion (notice 

that if t\ (resp. t.2) were in P( then p (resp. ^2) would contain among its 

elements a distinctive set ut^ (resp. ut^) which would force Rp p Rt2). 
By Lemma 4 we have h{p) = h{t2). We proceed by induction on h{p). 
In the base case (h(ti) = 0 ) we reach a contradiction, since by saturation 
there is some such that either s — p and 5/^2 occur in d, or 

and s — t2 occur in 0 , and we would have h{ti) > 0 in either cases. For 
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the inductive step, without loss of generality let s — t\ and / ^2 be in d 
(their occurrence is due to saturation with respect to rule ( 13 )), for some 
5 . Then Rq$ g Ret\^ which implies Rqs G R$t2^ so that by construction 
of Re there exists an s' such that R$s = Re s' and s' — i .2 occurs in 0. 
Notice that s' ^ s (otherwise 0 would be closed). Since by Lemma 4 we 
have h{s) = h(s') < h(ti), we can apply the induction hypothesis and 
obtain the contradiction Re s ^ Res'. 

(iv) Let s t he in 0 but Res ^ Ret. As Res ^ Up, ^OT p e Re , then there 
exists an s' different from such that Res = Re s' and s' — t occurs in 0. 
By saturation s ^ s' is in d, and by (iii) Res ^ Res\ a contradiction. 

Next we show that even operators are correctly modeled by Re (and therefore 
by Me): for open and saturated branch 0 . 

Lemma 7. Let 0 be an open and saturated branch in a tableau for p. Then the 
realization Re is coherent. 

Proof. Let 0 be an open and saturated branch. We prove that Ret = Met^ 
for each t in U 7 ^, by structural induction on t. The base case is trivial 
for uninterpreted constants. Concerning , notice that trivially Me =0 and 
that Re = 0 , since 0 is open. For the inductive step we only prove that (a) 
Re{ti r\t2) = Me{ti \lt2) and (b) Re{f{t)) = Me{f{t)) (other cases are similar). 

Concerning (a), suppose that a G Re{ti\lt2). Then there exists a term such 
that Res = a and s — ti\lt2 occurs in 0 . Since 0 is saturated both s — R and 
s — t2 occur in 0 . By Lemma 6 , Res G ReR and Res ^ Ret2^ and by induction 
hypothesis a G MeR H Met2 = Me{R n ^2)- Conversely, if a G Me{R n ^2) 
then a G MeR H Met2: and by induction hypothesis a G ReR H Ret2- After 
noticing that, because of the restrictions imposed to the application of the rules, 
it must be the case that RR2 ^ it follows that there exist s'^s" such that 
Res' = Res" = a and both s' — R and s" — t2 occur in d. By saturation, either 
s' — t2 or s' / t2 occurs in 0 . In the former case s' — till t.2 occurs in d, and 
therefore a G Re{R H t.2). In the latter case s' ^ s" occurs in d, and therefore 
Res' ^ Res" : a contradiction. 

Concerning (b), suppose that a G Re{f{t)). If a = (which may happen 
only if f{t) G R^) then, by construction of f^ , a G f^ (Ret): and by induction 
hypothesis a G f^ (Met) = Me{f{t)). Otherwise, there exists a term s such that 
Res = a and — f{t) occurs in 0 . By definition of f^ , a G f^ (Ret) and, again 
by induction hypothesis, a G f^ {Met) = Me{f{t)). Conversely, if a G Me{f{t)) 
then a G f^ {Met)^ and by induction hypothesis a G f^ {Ret). Now there are 
two cases to consider: (bi) there exists a term t' such that Ret = Ret' and 
a = Uf(^t ), and (b2) there exist terms s, t' such that Res = a, Ret = Ret' and the 
literal s — f{t') is in 0 . In case (bi), by saturation, either t ^ t' occurs in 0 (and 
the claim would hold since = Uf(^t^ and G Ref{t)): or t ^ t' occurs in 
0 (which would lead to a contradiction). In case (b2), by saturation either t ^ t' 
OY t ^ t' occurs in 0. In the former case f{t) ^ f{t') is in d, as well as — /(t), 
and therefore a G Re{f{t)). In the latter case Ret ^ Ret'^ a contradiction. 
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The following lemma concludes the proof of completeness. 

Lemma S. If 0 is an open and saturated branch in a tableau for tp, then it is 
satisfiable, and indeed it is satisfied by M$. 

Proof First notice that, by combining together Lemmas 6 and 7, it follows that 
M 1= for each literal £ occurring in 0. Proceeding by induction on the degree 
of formulae in d, it is easy to see that even formulae of the form pA q and ^{pAq) 
are satisfied by M$. Therefore, it remains to show that each formula of the form 
yx — t : (p is satisfied by Mq (notice that formulae of the form ^{\/x — tip) 
cannot occur in 0). 

Thus, suppose by contradiction that a formula Vx — t ^ is in d, but ^ 
\/x — t : fj. Then there exists a set a G Met such that ^ Since, by 

Lemma 7, Re is coherent, we have a e Ret and therefore there exists a term 
such that Res = a and the literal s — t occurs in 0. Without loss of generality we 
can suppose that s e Tip U 7(i3) (otherwise, by Lemma 5 there would be a term 
s in TipU 7 ( 13 ) such that the literal s ^ s' would be in d, and s' would play the 
role of 5 in the following discussion). By saturation is in 0 and by induction 
hypothesis Me \= Pg. But this is a contradiction since basic model properties 
and the fact that Mes = a yield that ^ p and Me \= Pg cannot both 

hold simultaneously. 

Summing up, we have proved 

Theorem 1. The tableau calculus for MLSSF^ is complete, even if subject to 
restrictions R1-R6. 

5 Efficiency Issues 

We first discuss some possible optimizations to the tableau calculus presented 
in the previous sections. Then, we compare our approach with those used in [1] 
and [3]. 

5.1 Minimizing the Branching Factor 

It is possible to considerably lower the branching factor of a tableau constructed 
by means of the rules (1)-(18) of Table 3 by adopting the KE calculus, a tableau 
calculus with analytic cut introduced in [6]. As noticed in [6], Smullyan’s tableaux 
suffer some anomalies. These can be solved by adopting an approach based on 
the calculus KE, which forces branches to be mutually exclusive andSmullyan’s 
tableaux. Let us now show how the splitting rules (1), (13), and (17) in Table 3 
can be redesigned, in order to make branches mutually exclusive (notice that 

6 j^{x^a} (^ 022 otes the set model identical to M with the possible exception of x, which 
is modeled by a. 
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cut rules (14) and (15) do not need to be changed). It is not difficult to fix rule 
(1), by substituting it with the rules 



S — ti\Jt2 
S -/- t\ 

S - t2 



S — tiUt2 
S -/- t2 

S — ti 



and by requiring the application of the cut rule (15) when a formula of the 
form s — U ^2 is in a branch d, but neither s — t\ nor s — t 2 is in 0. While 
rule (17) can be handled in a similar way, rule (13) is more challenging. In the 
subfragment MLSSF there is no clear way of how to solve the problem in a 
simple and elegant manner. In fact, one could think to substitute rule (13) with, 
for instance, 

ti ^ t2 



C — ti 


C / ti 


C-/- t2 


C - t2 




tl U t2 ~ h 



But doing so a new term ti U f .2 is introduced, and termination would be in 
jeopardy (or, at least, more difficult to prove). Instead, using the expressiveness 
of MLSSF^, one can substitute rule (13) with 



ti ^ t2 



c — t\ 


C / ti 


c / t2 


CM 

1 




\!x — t\\ X — l2 



without generating new terms, therefore ensuring termination, and fully achiev- 
ing our purposes to solve the anomalies of Smullyan’s tableaux in the spirit of 
the KE calculus. 

5.2 Model Checking or Exhaustive Saturation? 

A legitimate question about the comparison between the interleaving model- 
checking approach used in [1,3] and the exhaustive approach used in this paper 
and in [5] is ^^does the new approach really do less work than the previous one?^^ 
We claim that the new approach does not require more applications of split rules 
than the previous one. Moreover, useful cuts can be decided more efficiently. In 
fact, notice that 

— the applications of rule (1), (or the corresponding cut rules required if 
one wishes to use the KE approach) correspond to rule (R7) in [1], and 
to rule (3) in [3]; 

— the applications of rule (17) correspond to the /^-propositional schema 
given in [1]. There is no corresponding rule in [3], since there only con- 
junctions of normalized literals were considered; 
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- the applications of rule (13) hinted by restriction R3 (cf. Section 3.1) 
correspond to rule (R12) in [1] and to rule (12) in [3]; 

- literals of the form s ti\lt 2 and s ti — t 2 do not trigger any split 
rule, in contrast to rules (R8) and (R9) in [1]. 

Roughly speaking, the cuts that in the previous approach were triggered by the 
model-checking steps correspond to the applications of the cut rule (14) hinted 
by restriction R4. (The part relative to the set difference operator — closely 
reminds rule (11) in [3]). Therefore, we can expect that the size of the tableau 
built with the new approach is not greater than the size of the tableau built with 
the old approach. Now, which is the new cost for deciding cuts? In the previous 
approach, deciding a cut is very costly, since one has to build a model and verify 
that the model satisfies the branch. Instead, in the new approach it is possible 
to decide more efficiently which cut to apply, provided that suitable information 
is collected in the linear saturation phase. ^ For instance, it could be enough to 
maintain a fist L of pending cuts of the form 

- ti ^ ? 2 , for rule (13), 

- 5 — ? t, for rule (14), 

- ti ^7 ? 2 , for rule (15), 

and then the following high-level code 

if s — ti is in 0 or s — ?2 is in 0 then 
skip 

else if s ti is in 0 then 

0 := 0 U {s — t 2 ) 

else if 5 / ^2 is in 9 then 

0 := 0 U {s — ti) 

else 

L := L U {s —7 ti) 

end if 

could be called during the linear saturation phase when a literal s — ti \J t 2 
occurs in a branch 0 (other types of literals could be handled similarly). When 
0 is linearly saturated, and possibly after a closure check, it is enough to choose 
arbitrarily an element from L and apply the relative cut rule, 
idea should be 

6 Conclusion and Future Developments 

We have presented a sound and complete tableau calculus for the fragment 
MLSSF^, which extends MLSSF with a restricted form of quantification. We 
have also provided a saturation strategy which is guaranteed to terminate. The 
basic idea is the same as in [5], but applied to a more general case. 

^ The linear saturation phase consists in the exhaustive application of all the rules in 
Table 3 except the splitting ones. 
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We plan to extend our approach to admit also the constants N and O, which 
allow one to state interesting facts about natural numbers and ordinals (cf. [2]). 
We also plan to extend our approach to other fragments of set theory (cf. [4]). 
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Abstract. The aim of this work is to perform a proof-theoretical in- 
vestigation of some propositional logics underlying either finite-valued 
Godel logic or finite-valued Lukasiewicz logic. We define cut-free hyper- 
sequent calculi for logics obtained by adding either the n-contraction law 
or the n-weak law of excluded middle to affine intuitionistic linear logic 
with the linearity axiom {A ^ B) \/ (B A). We also develop cut -free 
calculi for the classical counterparts of these logics. Moreover we define a 
hypersequent calculus for LsPl L 4 in which the cut-elimination theorem 
holds. This calculus allows to define an alternative axiomatization of L 4 
making no use of the Lukasiewicz axiom. 



1 Introduction 

In this paper we develop cut-free calculi for some propositional logics underlying 
either finite- valued Godel logic or finite-valued Lukasiewicz logic. 

In most of the logics considered here, the contraction law does not hold. 
This entails the splitting of the connectives “and” and “or” of classical logic CL 
into lattice (or additive^) connectives A and V, and mono id al (or multiplicative) 
connectives © and 0 . Moreover the truth values of all these logics are always 
linearly ordered. 

All the logics we consider are extensions of the affine intuitionistic linear 
logic (without exponential connectives) a-MAILL^, also known as }1bck [lb] or 
monoidal logic [ 12 ], with the linearity axiom (A ^ B) \/ (B ^ A), Let A'^ be an 
abbreviation of A© ... 0 A (n times). By extending the aforementioned system 
by either the n-contraction law A'^ or the n-weak law of excluded 

middle A V with n > 2, one gets two families of systems, respectively 

denoted ICn and IWn* IC 2 coincides with Godel logic while IW 2 is CL. We also 
consider the classical counterparts of ICn cind /Wn* We respectively denote by 
CCn and CWn the logics obtained by adding to ICn and IWn the law of double 
negation ^^A ^ A. CC 2 and CW 2 coincide with CL while CIU 3 turns out to 
be 3-valued Lukasiewicz logic. CWn is the system Wn, investigated in [7], with 
the linearity axiom. For n > 3 both CCn and CBAi, are proper subsystems of 
n- valued Lukasiewicz logic L^^,. 

^ The terminology is due to [9]. 

^ a-MAILL stands for the Multiplicative Additive fragment of Intuitionistic Linear 
Logic [9] enriched with weakening rules. 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 113-128, 1999. 
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In [17] Prijatelj considered related systems, namely, a-MAILL and a-MALL^ 
with the n-contraction law. In [13] MAILL with ^ for /c > 0 , and k ^ 
is investigated. In both papers, the authors provided a Gentzen style formulation 
for these systems, lacking, however, the analiticity property. 

In this paper we develop calculi for /Cn, IWn^ CCm and CWn in which the 
cut-elimination theorem holds. These calculi are in the form of hypersequent 
calculi. 

Both a-MAILL and a-MALL have natural formulations in terms of Gentzen 
calculi, see e.g. [15,18,9]. On the other hand, the linearity axiom can be enforced 
on a given sequent calculus by transferring it to a hypersequent calculus see 
[ 6 ] in analogy to Avron’s work on Godel logic [3]. Here we define some suitable 
hypersequent rules allowing to prove the n-contraction law and the n-weak law of 
excluded middle in both the intuitionistic and classical contraction-free contexts, 
thus obtaining cut-free calculi for ICn^ 7HG, CCn and CWn^ 

Finally, by adding a new rule to the hypersequent calculus for a-MALL ex- 
tended by the 4- weak law of excluded middle [7] we define a cut-free calculus for 
Lafl L 4 . This calculus can be seen as a step forward to find a cut-free hyperse- 
quent calculus for L 4 . Moreover it allows to define an alternative axiomatization 
for L 4 making no use of the Lukasiewicz axiom [[A ^ B) ^ B) ^ ^ A) ^ 

A). 

2 Hypersequent Calculi 

Hypersequent calculi are a simple and natural generalization of ordinary Gentzen 
calculi, see e.g. [1,2, 4,3, 5]. 

Definition 1. A hypersequent is an expression of the form 1\ \~ A± \ * * * |ih F 
An, where for all i = l,...n, 1\ h Ai is an ordinary sequent, 1\ h Ai is 
called a component of the hypersequent. We say that a hypersequent is single- 
conclusion if for any i = 1 , . . . , consists of at most one formula, otherwise 

the hypersequent is said to be multiple-conclusion. 

The intended meaning of the symbol | is disjunctive. For the purposes of this pa- 
per it is convenient to treat sequents and hypersequents as multisets of formulas 
and multisets of sequents, respectively. 

Like in ordinary sequent calculi, in a hypersequent calculus there are initial 
hypersequents and rules, which are divided into logical and structural rules. The 
logical ones are essentially the same as in sequent calculi, the only difference 
being the presence of dummy contexts, called side hypersequents. We will use 
the symbol G to denote a side hypersequent. 

The structural rules are divided into internal and external rules. The former 
deal with formulas within components. If they are present, they are the same 
as in ordinary sequent calculi. The external rules manipulate whole components 

^ a-MALL stands for the Multiplicative Additive fragment of Linear Logic extended 
by weakening rules. 
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within a hypersequent. These are external weakening (EW) and contraction 
(EC). Eor instance, the hypersequent calculus for a-MALL is the following: 



(id) 


A \- A 


(cut) 


G\G'\r,r' h A, a' 


Interna 


il Structural Rules 






(^v,l) 


G\r h Zi 


(in 


G\r h A 


G\r, B h A 


(W, rj 


G\r G A,B 


Externi 


%l Structural Rules 






(EW) 


G\r \- A 


(EG) 


G\BG A\BG A 


G\r h A|r' h a' 


G; 1 i 'HA 


Multipl 


icative frag ment 






(e, i) 


G\r,A\-A G'\r',B\-A' 


(0,r) 


G\r G A, A,B 


G\G'\r, r' , A 0 B \- A, a' 


G|r h A, A 0 B 


(0,0 


G\r,A,B \- A 


f (Oi 'r•^ 


G|ri-A,A g'\b'ga',b 


G\r, A o B \- A 




G\G'\r,r' h A, a' , A o B 


0 


G\r\-A,A g'\b',b\-a' 




G\r, A \- A, B 


g\g' \ r, r' , A B \- A, a' 


G\l' \- A, A ^ B 


Additiv 


e f ragment 






(v,0 


G\r, A h A G'\r, B \- A 




G\r \- A, A^ 


G\G'\B, A \/ B \- A 




G|r h A, Ai V A2 ^ ^ 


(A,li) 


G\r,A^ \- A 


(A,r) 


G|r h A, A G'|r h A, B 


G\r, Ai A A2 A 


G\G'\r h A, A A B 


(-,0 


G\l' h A, A 




G|r, A 1 - A 


G\r,-<A\- A 


(“■ , 'f') 


G\r \- A, ^A 



The above calculus is redundant, in the sense that if a hypersequent 1\ h 
Ai\ . . . \Fk b Ak is derivable, then, for some i G {1, . . /c}, Fi h Ai is deriv- 
able too. 

A hypersequent calculus for a-MAILL is obtainable by the single-conclusion 
version of the above calculus for a-MALL. 

In hypersequent calculi it is possible to define new structural rules which 
simultaneously act on several components of one or more hypersequents. It is 
this type of rule which increases the expressive power of hypersequent calculi 
with respect to ordinary sequent calculi. 

Effective use of this kind of rules is given by the following examples: 



— The Hilbert-style axiomatization of the LQ logic is obtained by extending 
the axioms of IL with V A. A cut-free calculus for this logic is defined 
by adding the following rule to the hypersequent calculus for IL. 



{k) 



G|i’h |i’'h 



[7] 



— By extending the hypersequent calculus for a-MALL with either 



^ ^ G\G'\l\Gl^ A^,A{\V2,n^ A2 ,A'^\Vz,11^ A^,A'^ 

G\A,ri^Ai,n G'\u,r2^ A2 ,ii 

G\G'\l\,r2^ A^,A2\ A ^ II 



(3— weak) 
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[7] one gets a cut-free calculus for 3-valued Lukasiewicz logic. 
— By adding the following rule 



G\l\r'hA 

[com) 



[3] 



to the hypersequent calculus for IL one obtains a cut-free calculus for Godel 
logic. 



As shown in [6], cut-elimination in a single-conclusion sequent calculus entails 
cut-elimination in the corresponding hypersequent calculus extended with the 
(com) rule. As an immediate consequence, the cut rule is eliminable in the hy- 
persequent calculus for a-MAILL with the (com) rule. 

Let us consider the following generalization of the (com) rule to a multiple- 
conclusion hypersequent calculus: 

G\r,r'hA,A' G'\r,,rjhA,,A[ 

^ ’ G\G'\r,ri^ A,Ai\r',r[^ A',A'^ 

It is not hard to see that the hypersequent calculus for a-MALL with the (/in) 
rule admits cut-elimination. 



3 Bounded Contraction in Intuitionistic Systems with 
linearity 

In this section we define cut-free hypersequent calculi for the systems ICn and 
IWn^ with n > 2, respectively obtained by adding either the n-contraction law 
A^ or the n-weak law of excluded middle A V ^A^~^ ^ to the Hilbert- 
style axiomatization of a-MAILL (see e.g. [18]) with {A ^ B) \J [B ^ A). The 
only rule of inference is modus ponens. 

Definition 2. A4 = (M, A, V, 1, 0, _L, T) is an intuitionistic linear alge- 
bra (IL- algebra for short), see [18], if: 

L (M, *, 1) is a commutative monoid with unit element 1; 

2, (M, A, V, _L, T) is a lattice with bottom T and top T ; 

3, * and => are monotone with respect to the lattice order <, that is, for every 
a,b,c ^ M if a < b then a * c < b * c and b ^ c < a ^ c; 

f. for every a,b, c e M, a * b < c iff a < b ^ c; 

5, coincides with a => 0. 

IL-algebras are a semantical counterpart of MAILL. 

In an IL-algebra we have a => 6 > 1 if and only if a < 6. 

Definition 3. At = (M, A, V, 1, 0, _L, T) is an ILa-algebra if it is an IL- 
algebra with the additional property: 



(w) T = 0 and T = 1. 
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As is well known, from a deductive point of view, condition (w) corresponds to 
the presence of weakening rules in the associated sequent calculus* 

Lemma 4. In all ILa- algebras, for every a,b ^ M , the following conditions hold: 
(1) a* b < a Ab and (2) a * b < a. 

ILa-algebras are also known as integral commutative residuated l-monoids [12]* 
Lemma 5. The class of all ILa-algebras forms a variety. 

Definition 6. An I Laun- Agehvd, is an I La- algebra satisfying 
(linearity) {a ^ b) V {b ^ a) = 1. 

Let be an abbreviation of a* . . .m (n times). An -algebra is an ILaun- 

algebra such that 

(n- contraction) a'^~^ < oA . 

An /La^^-algebra is an I Laun- algebra satisfying the additional condition 

(n-weak) a V = 1. 

Remark 7* An -algebra is an I PL^- algebra [17] satisfying the (linearity) 

condition* A BL-algebra [11] is an ILa/^n-cilgebra such that a Ab = a ^ {a ^ b). 

Proposition 8. ICn and IWn are respectively characterized by the class of all 
totally ordered ILa^f^ and ILa^f^ - algebras. 

Proof. By Birkhoff’s Theorem, one can show that ICn (respectively, IWn) 1® 
characterized by the class of all subdirectly irreducible /La-algebras satisfying 
the (linearity) and the (n-contraction) (respectively, the (n-weak)) condition* 
Since in any subdirectly irreducible /La-algebra x \/ y = 1 implies x = 1 or 
y = Ij see [14], the claim follows* 

Definition 9. Given an I La^f^- algebra A4. An evaluation v is a mapping v : 
Var ^ M , where Var is the set of variables of the logic, which can be extended 
to formulas as follows: 

v{-^A) = ^v{A) v{0) = 0 n(l) = 1 

v{A -A B) = v{A) ^ v{B) v{A Q B) = v{A) * v{B) 
v{A W B) = v{A) V v{B) v{A AB) = v{A) A v{B). 

We say that a formula P is true in A4 if for all evaluations v on A4, v(P) = 1. 
A formula is /La^^’^-valid if it is true in every I La^f^- algebra. 

A sequent T \~ B, where T = A±, . . . , Ak is true in an I La^f^- algebra A4 if 
the formula A± Q ... Q Ak -A B is true in A4 . Moreover we stipulate that P h 
and h B are true in M. if so are T => 0 and 1 ^ B, respectively. 

A hypersequent Gi \ . . . \Gm is true in an I La^f^- algebra M iff v(Gi) V ... V 
v{Gni) is true inAi. 

The same applies to I Laf-^- algebra. 
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Definition 10. Forn > 2, the hICn calculus is obtained by adding the following 
rule 






n times 



n times 

Frn — l\-l y ^n—1’) • • • 5 ^n — 1 F 



and the (com) rule to the hyper sequent calculus for a-MAILL, 



Note that {ic 2 ) is the internal contraction rule. Thus hIC 2 coincides with the 
calculus for Godel logic introduced in [3]. 

We show that hICn is sound and complete with respect to validity in ILa^f^- 
algebras. 

Theorem 11 (Soundness). If a hypersequent H is derivable in hICn, then it 
is valid in all I algebras. 



Proof, By induction on the length of a derivation of H, By Proposition 8 it 
suffices to show that the rules of hICn are true in all totally ordered ILa^f^- 
algebras. It is an easy exercise for the reader to check that so are the (com) rule 
and the rules of the hypersequent calculus for a-MAILL. We will only show the 
soundness of the {icn) rule. To simplify the notation we can safely assume that 
there are no side hypersequents. 

Let A4 be a totally ordered IT a algebra and v any interpretation. By 
hypothesis, v{l ') < v{B)^ for every i = — 1. We have to show that 

v{r)^v{Ai)^.. Gv{An-i) ^ v{B) = 1. liv{Am) = max{n(Aj) | j = 1, . . . , n- 1}, 
then v{F) ^ v{Ai) v{An-i) < v{F) ^ v{Am)'^~^ = v{F) ^ v(Am)'^ < v{B), 
Thus v{F) * v{Ai) . . . ^ v(An-i) '^{F) = T 



Theorem 12 (Completeness). If a formula P is ILa^f^-valid, then \~ P is 
derivable in hlCn^ 

Proof, As usual we show that the Lindenbaum algebra Mny determined by hICny 
is an /Ta^^’^-algebra. The Mn algebra is constructed in the standard way: For 
any two formulas A and B of the language we set A B iS A \~ B and 
B \- A are both derivable in hlCn^ Then is a congruence relation. For each n, 
Ain = {Sny *5 A, V, 0, 1), where Sn is the operations are defined 

in the natural way: 

:= h^]~n 

^ [BU^ ■■= ^ ■ [BU^ := © BU^ 

A [BV^ := A V := V B^^ 

1 := {A I h A is derivable in hICn} 0 := {A | A h is derivable in hlCn}^ 

It is not hard to prove that Mn is an -algebra. We only show the identity 

=> By definition, this identity holds if and only if the formula 
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1 ^ -g derivable in hlCn^ The following derivation yields the desired 
result: 



A^A ... A^A 

n times 

XCTAha” 



AhA ... AhA 



n times 

aCTak a" 



a, . . . , A h 
A^-^ h a” 






h A 



n — 1 . ATI 



In [3] (or [6]) it is shown how to derive the linearity axiom. 

If a formula P is /La[^^-valid, then in particular P is true in and v{P) = 
1, under the canonical evaluation n, defined as v{P) = This implies that 

P G 1, so that h P is derivable in hlCn^ 



We show that the cut rule is eliminable in hlCn^ 

Theorem 13. If G\P h A and h B are provable in hICn, then so is 

p. 



Proof, Cut elimination for hypersequent calculi works essentially in the same 
way as for the corresponding sequent calculi. 

In order to deal with the {icn) rule we prove something stronger: that is if 
G\r \- A and G'\P',A^ h B are provable, then so is G|G'|i'^,i'' h P, where A^ 
stands for A, A (k times). 

One way to make the inductive argument work in presence of the (PG) rule, 
is to consider the number of the applications of this rule in a given deriva- 
tion as an independent parameter. The proof will proceed by induction on 
lexicographically-ordered triples of integers (r, c, h), where r is the number of 
applications of the (PG) rule in the proofs of the premises of the cut rule, c is 
the complexity of the cut formula, and h is the sum of the length of the proofs of 
the premises of the cut rule. It suffices to consider the following cases according 
to which inference rule is being applied just before the application of the cut 
rule: 



1. either G|i' h A or G'\P'^A^ h P is an initial hypersequent, that is of the 
form A\- A 

2. either G|i' h A or G'\P' ^A^ h P is derived from a structural rule 

3. both G|P h A and G'\P'^A^ h P are lower sequents of some logical rules 
such that the cut formula is the principal formula of both rules. 



We will give here a proof for some relevant cases, omitting the side hypersequents 
that are not involved in the derivation. 

Suppose that the last inference in the proof of one premise of the cut is the 
(PG) rule, i.e., 

^ ^ lA A\IA A 

(PG) 

lA A A,r'^B 

(cut) 

r\r^B 
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Let r be the number of applications of the (EC) rule in the above proof. This 
proof can be replaced by 



i’hA|i’hA A,r'^B 
l\r' B\V'r A 



(cut) 



A,r'\-B 



r',i'h B\r',i'h B 

r',r\-B 



(cut) 



(EC) 



which contains two cuts with r — 1 applications of the {EC) rule. Then these 
cuts can be eliminated by induction hypothesis. 

Suppose that the last inference in the proof of one premise of the cut is the 
{icn) rule and the proof ends as follows: 



n times 



r,Au. 



n times 

^ ) ^n — 1’) • • • 5 ^n—1 b E 

An-l h B 



(iCji) 



^n— 1 



r'hAi 
h B 



{cut) 



This proof can be replaced by: 



n times 



r,Ai,...,Ai^ B r'^Ai 



n times 



(cut) 






r,r',Ao 



n times 

^ 15 • • • 5 ^n — 1 b B 

. , An-l b B 



{^^n) 



where the cut has been shifted upward, whence it can be eliminated by induction 
hypothesis. 

In [ 3 ] it is shown how to eliminate cuts involving the {com) rule. The remain- 
ing cases can be treated as in the corresponding sequent calculi. 



Remark I4, One can show that, for every n > 2, the n- contraction rule 



{LCn) 



n times 

r,ACCAh B 

B,A,...,AhB 



n—1 times 



[ 17 ] 



is derivable in hlCn^ However, in contrast to our systems hi Cm by adding the 
{LCn) rules to the sequent calculus for a-MAILL, one obtains a family of calculi 
in which the cut rule is not eliminable. Indeed, in [ 16 ] it was shown that in these 
calculi, for any n > 2, the sequent A, {B {B ^ A) ^ {{B A) ^ 

. . . ^ {B ^ A) C) . . .) b C, where {B A) occurs n times in the indicated 
subformula of the antecedent, provides a counterexample for cut-elimination. 
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Remark 15, In [13] the extensions of MAILL with the so called knotted structural 
rules are discussed. For every n ^ k and /c > 0, each knotted structural rule has 
the following form: 

n times 

r,A,...,A\-B 

(n, k) [13] 

r,A,...,A\-B 

k times 

The {LCn) rule is a particular case of the (n, k) rule. The latter is a restricted 
form of the weakening rule when n < k^ and of the contraction rule when n > k. 
In [13] it was proved that in the sequent calculus for MAILL extended by the 
(n, k) rule, the cut-elimination theorem holds if and only if k = 1, 

For every n ^ k and /c > 0, let us consider the following rule, obtained by 
slightly modifiying the {icn) rule of Definition 10: 

n times n times 

l\Ai,...,Ai\-B ... l\Ak,...,Ak\-B 

i^<^k) 

r, Ai, . . . , Afc h 5 

If we add to the sequent calculus for MAILL the (ic^) rule we can derive (n, k). 
It easy to see that in this calculus the cut-elimination theorem holds for every 
n, /c > 1. 

Definition 16. Forn > 2, the hlWn calculus is obtained by adding the follow- 
ing rule to the hypersequent calculus for a-MAILL with the (com) rule 

Gi\r,AihB ... 

{iWn) 

{iw 2 ) turns out to coincide with the (cl) rule introduced in [7] (see also [5]). 
Then hIW 2 is a (single-conclusion) hypersequent calculus for CL. 

We show that hlWn is sound and complete with respect to validity in ILa^ff- 
algebras. 

Theorem 17 (Soundness). If a hypersequent H is derivable in hlWn, then it 
is -valid. 

Proof, We argue as in Theorem 11. As an example, we show the soundness of 
the {iWn) rule with respect to all totally ordered -algebras. By hypothesis, 

v{Ai) ■ v{r) < v[B)^ for every i = l,...,n — 1. We have to show that either 
n(Ai) ^ ^ v(An-i) < 0 or v{F) < v{B), Let v{Am) = max{n(Aj) | j = 

l,...n — 1}. Then (*) v{Ai) ^ ^ v(An-i) < v{Am)'^~^- By the (n— weak) 

condition there are two cases: v(A^) = 1 or v{Am)^~^ = 0. In the first case, 
from v{Am)v{F) < "^{B) it follows v{F) < v{B), In the second case, from (*) we 
have v{A\) * ... * v{An-i) < 0. 
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Theorem 18 (Completeness). If a formula P is ILa^ff-valid, then \~ P is 
derivable in hlWn^ 



Proof, The proof proceeds as in Theorem 12. We show how to derive the formula 

Ah A ... Ah A 



h A\A^-^ h 
h a V 

The following result shows that the cut is eliminable in hlWn^ 

Theorem 19. If G\P h A and A h B are provable in hlWn, so is 

G|G'|i;i^'h 

Proof, The proof is similar to the one for hICn- We only show how to eliminate 
a cut involving the {iwn) rule 

T, Ai, A\- B ... T, Att,_i, A\- B 

Ai, . . . , An-l h |r, A h B r' h A 
Ai, . . . , An-1 h |r, r' ^ B 

This proof can be replaced by a proof having n — 1 cuts in which the sum of the 
length of the proofs in the premises is smaller than in the above cut: 

r,Ai,AhB r'hA r,An-i,AhB r'hA 
l\P',Ai^B ... l\P',An-i^B 

Ai,...,An-i h \l\r'^B 

Then these cuts can be eliminated by induction hypothesis. 



Remark 20, It is easy to see that, for every n > 2, hICn is a proper subsystem 
of hlWn. 

4 Bounded Contraction in Classical Systems with 
linearity 

This section is devoted to investigate the classical counterparts of ICn and IWn* 
We define cut-free hypersequent calculi for systems CCn and GWn, with n > 2, 
respectively obtained by adding either the n-contraction law A^~^ A^ or 
the n-weak law of excluded middle A V ^A^~^ ^ to a-MALL with the axiom 
[A ^ B)\J [B A), CWn is the system Wn considered in [7] plus the linearity 
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axiom. By comparing their calculi, it is easy to see that, for every n > 3, CCn 
is a proper subsystem of CWn* 

As we mentioned in the introduction, both CCn £tnd CWn are subsystems 
of n-valued Lukasiewicz logic L^^,. In the particular case n = 3, IL3 (and then 
CW^) coincides with 3-valued Lukasiewicz logic, see [7]. 

By extending the calculus for W 4 , with a new rule, we shall define a cut free 
hypersequent calculus for Lafl L4. This calculus allows to define an alternative 
Hilbert-style axiomatization of L4 making no use of the Lukasiewicz axiom. 

Definition 21. An IL- algebra is a classical linear algebra ( CL- algebra for short) 
if for every a G M, = a. 

CL-algebras are a semantical counterpart of MALL, see [18]. 

Definition 22. A CLa-algebra is a CL- algebra satisfying condition (w) in De- 
finition 3, CLaiiny CLa^f^ and algebras are obtained, respectively, by 

adding to the LLauny ILa^f^ and LLa^-)^- algebras of Definition 6 , — a. 

In CL-algebras one defines a -\- h = * -<6). Thus the (n— contraction) and 

(n— weak) conditions can be respectively expressed, dually, as na < {n — l)a and 
V (n — l)a = 1 where na = a + . . . + a (n times). 

Remark 23, The ITn-algebras [7] are CLa-algebras satisfying the (n— weak) con- 
dition. MV-algebras, that are the algebraic models of infinite-valued Lukasiewicz 
logic (see, e.g., [8]) are CLa-algebras satisfying in addition a f\h = a ^ {a ^ h). 

Proposition 24. CCn CWn respectively characterized by the class of 
all totally ordered CLoif^ and C La algebras. 

The semantic notions are the same as in Definition 9. They are extended to 
multiple-conclusion hypersequent calculi as follows: 

A sequent i ' h Z\, where D = Ai, . . . , A^ and A = , Bm is true in a 

CTa[J^- algebra (respectively, in a CTa^^ -algebra) At if the formula Ai © . . . © 
Afc ^ 0 . . . 0 Bm is true in M, where v{A 0 5)= v{A) 0 v{B), 

Definition 25. For n > 2 , the hCCn calculus is obtained by adding the {cCn) 
rule below to the hypersequent calculus for a-MALL with the (lin) rule: 

n times n times 

Gi\r,7r3~MhBr3~^,A ... 

Gi| . . . |Gn_i|C Ai, . . . , An-l Bi, . . . , Bn-l,A 

n times n times 

^ } ^n — 1 : • • • 5 ^n —1 ^ -^n — 1 5 • • • 5 -^n— 1 ? ^ 

Gi \ . . . |Gn-l|T, Ai, . . . , An-l h 5i, . . . , Bn-l^ A 

We show that hCCn is sound and complete with respect to validity in CLa^f^- 
algebras. 
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Theorem 26 (Soundness). If a hypersequent H is derivable in hCCn, then it 
is C La -valid. 

Proof, We argue as in the proof of Theorem 1 1 . We only show the soundness of 
the (ccn) rule with respect to all totally ordered -algebras. By hypothesis 

for every i = 1 , . . .n — 1 , v{r)*v{Ai)'^ < nv{Bi)-\-v{A), that is ^v{r)-\-n^v{Ai)-\- 
nv{Bi) -\-v{A) = 1 . Let ^v(Am) -\-v{Bm) = min{^v{Aj) v{Bj) | j = 1 , . . . , n — 
l},thus 1 < ^v{r)-\-n^v{Am)-\-nv{Bm)-\-v{A) < ->u(r) + (n- + (n- 
l)v(Bjj^)-\-v{A) < -if(i + . . .-\-^v{Aj^_i)-\-v{Bi)-\-. . .-\-v(Bj^_i)-\-v(A), 

Theorem 27 (Completeness). If a formula P is C La^f^-valid^ then \~ P is 
derivable in hCCn- 

Proof, The proof is similar to the one of Theorem 12. 

The cut rule is eliminable in hCCn* 

Theorem 28. If both G\P h A, Z\ and G'|T', A h A' are provable in hCCn? 
then so isG\G'\r,P'h A,A', 

Proof, By a straightforward adaptation of the proof for hlGn^ keeping into ac- 
count the fact that we have now to deal with multiple-conclusion hypersequents. 

In [7] it was proved that the hWn calculus, with n > 2, obtained by adding to 
the hypersequent calculus for a-MALL the following rule: 

Gi\r,A^hB^,A ... 

is sound and complete with respect to validity in W 7 T,-algebras. 

Definition 29. The hGWn calculus coincides with the hWn calculus with the 
(lin) rule. 

Theorem 30. A formula P is G La^f^-valid if and only if \~ P is derivable in 
hGWn^ 

Proof, Since the (lin) rule is valid in all totally ordered GTa-algebras and allows 
one to derive the linearity axiom, the proof follows from the soundness and 
completeness of the hWn-calculus with respect to Wn-algebras [7]. 

Theorem 31. If G\P \~ A, A and G'\P(A h A' are provable in hGWn, then so 
isG\G(P, rw A, Ah 

Proof, The proof is similar to that of hlWn* In [7] it was shown how to eliminate 
cuts involving the (n-weak) rule. 

Lemma 32. For all n > 3^ hGGn o.nd hWn (ire proper subsystem of hGWn ^ 



(n—weak) 
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As was pointed out in [ 7 ], /1VL3 (and hence, also hCW^) is a calculus for 3 -valued 
Lukasiewicz logic L3. 

This is no longer true for hCWnj when n > 3 . Indeed the Hilbert-style axioma- 
tization of hn is given by adding to the axioms for a-MALL the following [10]: 

B) {{B ^ A) A) (Lukasiewicz axiom) 

{n — 1 ) A ^ nA (n— contraction) 

{jpA^~^)'^ nA^ (Grigolia axioms) 

for every integer p = 2 , . . . , n — 2 that does not divide n — 1 . Here A ^ B stands 
for (A ^ 5 ) © (5 ^ A), nA for A 0 ... 0 A {n times) and A^ for A 0 ... 0 A 
{n times). 

For n > 3 , hCWn is strictly included in L^* Indeed, all the rules of hCWn 
are valid in the algebraic models of L^, namely MV^^, -algebras (see e.g. [8]). On 
the other hand there is no way to prove in hCWn the Lukasiewicz axiom or the 
Grigolia axioms. 

In the particular case n = 4 we shall define a new rule, that is valid in L4 
and allows us to prove the Lukasiewicz axiom. 

Definition 33. The hALuk calculus is obtained by adding to the hW^ hyperse- 
quent calculus the following rule: 

(ALuk) 

G\G'\n02^ ^[,^'2 

Remark Notice that the (ALuk) rule is a mix between the (lin) rule and 
internal contraction rules. 



Theorem 35 (Soundness). If a hypersequent is derivable in hALuk then it is 
valid in A-valued Lukasiewicz logic. 

Proof, The proof proceeds as in Theorem 30 . We only show validity of the 
(ALuk) rule with respect to algebraic models of L4, namely MV4- algebras. By 
the completeness theorem of MV4 -algebras (see, e.g. [8]), it suffices to check 
validity of the (ALuk) rule in the MV4-algebra M4 on the set of truth val- 
ues {0, -i,-!,!}, where the connectives 0 and ^ are interpreted in the follow- 
ing way: A A- B = mm{l, A 0 B} and ^A = 1 — A, where 0 and — respec- 
tively denote the ordinary sum and subtraction. By hypothesis, (a) 1 — v{l\) 0 
1 - v{l\) 0 1 - v{r{) 0 1 - v{r{) 0 v{Ai) 0 v{Ai) 0 v{A^) 0 v{A^) = 1 and 
{h) 1 — v{r2) 0 1 — '^(^ 2) T '^(^2) + ^^(^2) = 1* We have to prove that either 
(c) 1 - v{ri) 0 1 - v{r2) 0 v{A\) 0 v{A2) = 1 or (d) 1 - v{P[) 0 1 - ^’(r^) 0 
v{A'^) + v{A'2) = 1 . 

Suppose that (c) does not hold. We show that (d) must be true. Being (*) 1 — 
n(i 1)0 1 — n(i 2) +'^(Ai)0n(Z\2) < 1, there are three cases: 1 — f (i 2)0n(Z\2) can 
be equal to 0, ^ or In the first case, from (h) it follows that (d) holds. In the 
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second case, from (b) we have (^) l—v{r2)-\-v{A2) > |* Since 1 — (^^2) = 
^ and (*) holds, 1 — f(A) + '^(^1) must be < -^, thus (d) follows from (a) 
and {'k). In the third case, 1 — v{l\) + v{Ai) must be equal to 0, so, from 
(a) we have 1 — v{r{) + ^ f* On the other hand, from (b) it follows 

1 — r’(i 2) + '^(^2) ^ "I* Thus (d) holds. 

The (ALuk) rule is not valid in Ln for n > 4 . A simple counterexample, e.g. in 
L5, can be obtained by taking v{l\) = -i, f(i2) = '^(^2) = | = 

v{Ai) = v{A'^ = 0, for i = 1, 2. 

Remark 36 , In hALuk we can derive the Lukasiewicz axiom. An equivalent for- 
mulation of this axiom is A Q [A ^ B) B Q [B A) ^ see e.g. [11]. Here we 
show how to prove it in hALuk: 

BhB AhA 

Ah A AhA B,B,Ah BO (B ^ A) 

( 4 — weak) 

BhB B,Bh A,AjAh BO (B^ A) 

Bh B B,Bh A,BO{B ^ A)\Ah BO{B ^ A) 

AhA B, B h B O (B ^ A), B O (B ^ A) I A h B O (B ^ A) 

(ALuk) 

AhBO(B^A)lBhAIAhBO(B^A) 

A,A^BhBO(B^ A)\A, A ^ B h B O {B ^ A)\A, A ^ B h B O {B ^ A) 

A,A^ Bh BO {B ^ A) 

Ao{A^ B)h BO{B ^ A) 

h AO {A ^ B) ^ B O {B ^ A) 

It is not hard to see that in \iAhuk the cut-elimination theorem holds. 

\iAhuk is not a calculus for 4 -valued Lukasiewicz logic. Indeed, in \iAhuk one 
cannot prove the Grigolia axiom 

(t) [{A © A) 0 (A © A) 0 (A © A)] [(A O A) O {Ao A) O {Ao A)]. 

Let L4H L3 the logic whose Hilbert-style axiomatization is given by adding to 
the axioms of a-MALL the Lukasiewicz axiom and the 4 -weak law of excluded 
middle. Modus ponens is the only rule of inference. The tautologies of this logic 
are those formulas that simultaneously are verified in the 3 -elements MV-algebra 
MV3 = { 0 , ■!, 1 } in the 4 -elements MV-algebra MV4 = { 0 , -i, |, 1 } where 
connectives 0 , ©, ^, A, V are interpreted in the following way: ^A = 1 — A, 
AOB = min{l, A0H}, AOB = max{ 0 , A0H— 1 },A^ B = min{l, 1 — A0H}, 
A A B = min{A, B} and A\J B = max{A, B}, 

Proposition 37 . hALuk is a calculus for L^n L3. 

Proof, (Soundness) Trivial, since every rule of the hALuk calculus is valid both 
in L4 and in L3. (Completeness) Every axiom of L4H L3 is derivable in hALuk 
while modus ponens corresponds to the derivability of A, A ^ B h B and the 
cut rule. 
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As an easy corollary we can define an alternative Hilbert-style axiomatization of 
4-valued Lukasiewicz logic making no use of the Lukasiewicz axiom. 

As a final remark we stress that in order to formulate a cut-free hypersequent 
calculus for 4-valued Lukasiewicz logic, it remains to find some rules that forbid 
(t) ^ to be a truth value of the logic. 
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Abstract. We prove, by introducing a new kind of sequent calculus, 
that the decision problem for the non-associative Lambek calculus with 
product belongs to PTIME. This solves an open prolem. 



1 Introduction 

Modern categorial grammars [6] are based on a logical calculus introduced by 
Lambek more than thirty years ago [4,5]. Two variants of this calculus exist. The 
first, L, which is perhaps the most well-known, corresponds exactly to the non- 
commutative fragment of IMLL, i.e., intuitionistic multiplicative linear logic [2]. 
The second, NL, which was introduced three years later, is obtained from the 
first by dropping the hidden structural rule of associativity. Therefore intuition- 
istic multiplicative linear logic may be seen as the commutative extension of L 
which, in turn, may be seen as the associative extension of NL: 

NL C L C IMLL 

If, in addition, we distinguish between the purely implicational fragments and 
the fragments with product, the picture becomes the following: 

nl\/* c l\/* c imll^°® 

u u u 

nl\/ c l\/ c imll^° 

where the superscripts make explicit the connectives of the systems. 

The decidability of these six fragments follows immediately from easy cut 
elimination theorems. As for the complexity of the associated decision prob- 
lems, the state of the art is as follows. Kanovich has shown both IMLL”"^®" and 
IMLL^ to be NP-complete [3].^ In the case of L^/* and L^/, the question is 
still open. Moreover, there is no proof that the two problems are equivalent. 
Aerts and Trautwein have shown that NL^/ belongs to PTIME [1]. Our own 
contribution is to show that this is also the case for NL^^*. 

^ In fact, in this case, the two problems are easily seen to be equivalent by using a 
Goedel-like negative translation. This is not true for L and NL because Goedel-like 
translations do not work in a non-commutative setting. 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 128-139, 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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2 The non-associative Lambek calculus 

The formulas of the non-associative Lambek calculus with product are 

built from a set of atomic formulas A and the connectives \, /, and • according 
to the following grammar: 

^ I I | ( . jc) 

The consequence relation of may be specified by a Gentzen-like se- 

quent calculus. The sequents have the form F i- A where T is a non-empty 
binary tree of formulas, i.e., a fully bracketed structure. We take for granted the 
notion of context, i.e., a binary tree with a hole. If F[] is such a context, F[A] 
denotes the binary tree obtained by filling the hole in T[] with the formula A. 

^ I- ^ (Id) 



r t- A A[B] t- c 

(\-L) 

A[{r,{A\B))]^ C 


(A,r) B 


(A\B) 


r t- A A\B] 1- c 

(/-L) 

A[{{B/A),r)]^ C 


(BA) B 


r {B/A) 


r[{A,B)\^C 

(•-L) 

r[{A*B)\i- c 


r t- A Ai- B 


(r,A) ^ {A* B) 



(\-R) 

(/-R) 

(-R) 



The binary-tree structure of the antecedents induces the non-associativity of 
the calculus. As an illustration, consider the following derivation: 



h i- h c I- c 
a I- a (6, 6 \ c) I- c 
((a, a \ 6), 6 \ c) i- c 



In the associative case, this derivation might be continued by applying the right 
introduction rule of \, which would yield (a\6, 6\c) i- a\c. In the present case, 
the bracketing of the antecedent prevents Rule (\-R) from being applied. 

In order to show that one may decide in polynomial time whether a sequent 
of NL\/* is derivable, we will focus on sequents made of two formulas. By doing 
so, we will not lose any generality, as explained below. 



Proposition 1. Rule •-T is invertible. 



Proof. This follows from the fact that this rule is per mutable with all the rules. 

□ 



From this, we immediately have: 
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Corollary 2. For each sequent F B there exist a formula A such that F t- B 
is provable if and only if A B is provable. Moreover, F \- B and A i- B 
have the same length. □ 

Because of Corollary 2, we may reduce the decision problem of NL^/* to the 
particular case of sequents made of two formulas. Let us call any such provable 
sequent a tautology of NL^/*. We end this section by giving a characterisation 
of these tautologies. 

Proposition 3. The set of tautologies of NL^/* is the least set of sequents 
closed under the following clauses: 

(a) A I- A; 

(b) (B\C) {A\D) if A^ B and C I- D; 

(c) {C/B) I- {D/A) if A I- B and C ^ D; 

(d) (A^C) ^ (B^D) if A^ B and C I- D; 

(e) B t- {A \C) if and only if {A • B) i- C; 

(f) A I- {C/B) if and only if {A^B) i- C. 

Proof. Let S be the least set closed under the above conditions, and let T be 
the set of tautologies of NL^/*. We first note that Clauses a, b, c, d, e, and f 
correspond to admissible rules of NL^/*. Therefore, S cT. 

Then, to prove that T C S consists in a routine induction on the length of 
the sequent proofs of NL^/*. □ 



3 The product-free case 



Proof search in the non-associative Lambek calculus takes advantage of the struc- 
ture of the sequents. However, the reconstruction of a proof from a sequent is 
not as simple as it might seem at first sight. Indeed the backward application 
of the inference rules is not completely deterministic, as shown by the following 
derivations, which correspond to two different proofs of the same sequent. 

b t- b a i- a 
b,b\a t- a 

b\a i- b\a a a 
a/{b\a),b\a i- a a i- a 

a/{b\a) I- a/{b\a) a i- a 



a/{b \ a), {a/{b \ a)) \ a i- a 
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6 I- 6 a I- a 
6, 6 \ a I- a 

b I- a/(b \ a) a t- a 
6, (a/(6 \ a)) \ a t- a 
{a/(b \ a)) \ ai-6\a a i- a 
a/(b \ a), (a/(6 \ a)) \ a i- a 

Now it is easy to construct, from the above example, sequents with an expo- 
nential number of possible proofs. Consequently a brute force search based on 
the sequent calculus of Section 2 cannot be polynomial in time. 

In the product free case, the polynomiality of the decision problem may be 
obtained as a consequence of the following key property: any derivation of a two- 
formula sequent may he transformed, by permuting the rules, into a derivation 
where each two-premise inference rule is immediately followed by a one-premise 
inference rule. Consequently, any derivation of a two-formula sequent may be 
transformed into a derivation whose sequents contain at most three formulas. 
This key property fails when the product is present. This is shown, for instance, 
by the following counterexample. 

a I- a b t- b 
(a, 6 ) I- a • 6 c i- c 
((a, 6), (a • 6) \ c) i- c 
(a, b) I- c/((a • 6) \ c) 
a t- {c/{{a •b)\ c)) /b 

In order to better understand the meaning of the key property, consider 
the two-premise rules of the sequent calculus of Section 2. Each of these rules 
introduces two connectives: an actual conjunctive connective, which is the active 
connective of the rule (i.e., a negative implication, or a positive product), and 
a possible disjunctive connective, which is introduced by the rule as a meta- 
connective (i.e., a comma). When deriving a two formula sequent, this meta- 
connective will be eventually turned into a positive implication or a negative 
product. 

In the product-free case, the key property says that each comma may be 
turned into an actual connective as soon as it is introduced. Consequently, by 
merging the left and the right introduction rules, one obtains a complete system 
whose rules introduce two dual connectives at the same time: 

A I- A 

B C D Ai- B C ^ D 



{B\C) ^ {A\D) 



A ^ {D/{B\C)) 
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At- B C i- D At-BCi-D 

(C/B) (D/A) A {{C/B) \ D) 

In the case of NL^/*, it is still possible to design such a system, where each 
rule introduces a pair of dual connectives. However, because of the failure of the 
key property, this system manipulates a notion of context. This is explained in 
the next section. 

4 A calculus with contexts 

In this section, we define a context to be a formula with a hole (remark that this 
notion of context is different from the one of Section 2): 

C[] ::= [] I (C[]\^) I (^\C[]) I {CW/B) \ {B /€[]) \ {C[].B) \ {B.C[\) 

We let T[],Z\ range over contexts, and we write r[A] to denote the 
formula obtained by filling the hole in T[] with the formula A. We also say that 
a context T[] is a correct positive (respectively, negative) context if and only if 
A t- r[B] (respectively, r[A] i- is a tautology whenever Hi- is. This 
notion of correctness is the keystone of the following calculus, which includes 
inference rules that allow correct contexts to be derived. 

Sequent rules 



^ I- ^ (Id) 



Ai^ B C ^ D 
(B\C) (A\D) 



At- B C t- D 
(C/B) (D/A) 



Ai- B C t- D 
{A*C) I- {B*D) 



(/) 



At-B >-N r[] 
r[A] I- B 



(Contjv) 



Af- B i-p r[] 
A h- r[Bj 



(Contp) 



Negative context rules 



•-N [] (Q-N) 



A I- B i-jv r[] i-jv A[] 

(.\-N) 



A^B r[] 



^[] 



(•/-N) 






ir[{A[]/B)]*A) 
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Positive context rules 





[] 


(D-P) 




A t- B 1— p P[] t—p A[] 


(\-p) 


A t- B 1— p P[] t—p A[] 


(/-P) 




^P {r[{A[]*B)]/A) 


B t- A i-jv P[] *-p A[] 


(/\-p) 


B A i-jv P[] *-p A[] 


(\/-p) 


{A/r[{A[]\B)]) 


^P ir[{B/A[])]\A) 



We now prove that the above system, which we call SC, is a sound and 
complete axiomatisation of NL^/*. 

Proposition 4. (Soundness) Let A \- B he a sequent derivable aeeording to 
system SC. Then A i- B is a tautology o/NL^/*. 

Proof. The proof is carried out by induction on the SC-derivation of ^ i- B. The 
cases of Axiom Id, Rules \, /, and • are straightforward because they correspond, 
respectively, to Conditions a, b c and d of Proposition 3. Rules Cont n and Contp 
correspond to the definition of correctness for the contexts. Consequently, it 
remains to prove that the negative and positive context rules allow only correct 
contexts to be derived. We handle the case of the negative contexts and leave 
the other case, which is similar, to the reader. 

Let C i— L) be a tautology of NL^/* and let 0[] be a context such that i~iv 0[] 
is derivable. We must prove that 0[C] i- is a tautology. 

The case where G is obtained by axiom []-N is obvious. 

If O is obtained by Rule *\-N then G = {A • P[{B \ Z\[])]) where, by induction 
hypothesis, A i- is a tautology and T[],Z\[] are correct negative contexts. 
Then A[C] t- is a tautology, and so is (i^ \ Z\[C]) i- {A\ D). Hence P[{B \ 
Z\[C])] I- {A\D) is also a tautology and, by Condition e of Proposition 3, so is 
{A*r[{B\A[C])]) D. 

The case where G is obtained by Rule •/-N is similar. □ 

In order to prove the completeness, we first establish two lemmas. 

Lemma 5. If*~N ^[] andt~N A[] are both derivable, so is mi]]- 
Proof. A straightforward induction on the derivation of i-jv r[]. □ 

Lemma 6. If*-p r[] and\-p A[] are both derivable, so is t-p T[Z\[]]. 

Proof. A straightforward induction on the derivation of i-p T[]. □ 

We say that an SC-derivation is normal if the three following conditions hold: 
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(a) it is not the case that the right premise of any occurrence of Rule Cont n 
(respectively, Rule Cont p) is obtained by the Axiom []-N (respectively, Ax- 
iom 0-P); 

(b) it is not the case that the left premise of any occurrence of Rule Cont n (re- 
spectively, Rule Contp) is obtained as the conclusion of another occurrence 
of Rule Contiv (respectively. Rule Contp); 

(c) Axiom Id is restricted to atomic formulas. 

Lemma 7. Any SC-derivation may he turned into a normal derivation. 

Proof. The occurrences of Rule Cont ^ or Cont p that do not satisfy Condition a 
are clearly useless. On the other hand, the occurrences of Rule Cont n and Contp 
that do not satisfy Condition b may be eliminated by Lemmas 5 and 6. Finally, 
Rules \, /, and • allow any tautology of the form At- A to be derived from 
axioms on atomic formulas. □ 



Proposition 8. (Completeness) Let At- B he a tautology o/NL^/*. Then 
A t- B is derivable aeeording to system SC. 



Proof. We prove that the set of SC-derivable sequents is closed under the condi- 
tions of Proposition 3. This is clearly the case for Conditions a, b, c, d since they 
respectively correspond to Axiom Id and Rules \, /, and •. Therefore, it remains 
to prove that the set of SC-derivable sequents is closed under Conditions e and f. 
This amounts to proving that the following rules are admissible: 



(A • 5) I- C B t- (A\C) (A^B) t- C A i- (C/B) 

^ (el) -(e2) ^ ^ (fl) — (f2) 

5 I- (A \ C) (A • S) I- C A I- {C/B) (A • S) i- C 

We show that each of these rules is admissible by performing a case analysis of 
the normal SC- derivations. 

A. Admissibility of Rule el. 

A.l. The last rule of the SC-derivation is Rule •; 

At-B C t- D 

{A*C)^ (B*D) 

(el) 

Ci-{A\{B*D)) 

The derivation may be transformed as follows: 



Ai- B 



C i- D 



•-P iA\{B*[])) 



C t- {A\(B*D)) 



— (\-P) 

(Contp) 



A. 2. The last rule of the SC-derivation is Rule Contj^- We distinguish between 
two subcases. 
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A. 2.1. The right premise of Rule ContN is obtained by applieation of Rule •\-N: 

A B ^[] *~N ^[] 



C ^ D 






(A.r[{B\A[C])]) D 



(.\-N) 
(Contiv) 



r[{B\A[C])] ^ (A\D) 
The derivation may be transformed as follows: 
C i- D t-N Z\[] 

A 



(el) 



B 



A[C] 1- D 



(Contjv) 



(B\A[C]) ^ (A\D) 



(\) 



~N 



^[] 



(Contiv) 



r[{B\A[C])] >- {A \D) 

A.2.2. The right premise of Rule ContN is obtained by applieation of Rule •/-N: 

A B t~N ^[] *~N ^[] 



C ^ D 



-N (r[{A[]/B)] •A) 



ir[{A[C]/B)].A) D 



(./-N) 
(Contiv) 



^ - (r[{A[C]/B)]\D) 

The derivation may be transformed as follows: 

C ^ D i-iv ^[] 



el 



A[C] I- D 



■ Cont N 



~N 



^[] 



*-p 



At- B 



-P (r[(4C]/[])]\/;) 



(\/-P) 



^ {r[{A[C]/B)]\D) 



(Contp) 



A. 3. The last rule of the SC-derivation is Rule Contp. Again, we distinguish 
between two subcases. 



A. 3.1. The left premise of Rule Contp is obtained by applying Rule •: 

A^ B C ^ D 

(•) 

-p r[] 



(^ • a) I- (5 • D) 



{A*C) t- r[{B*D)] 
G {A\r[{B*D)]) 
The derivation may be transformed as follows: 

At- B t-p r[] 
C 



(Contp) 



(el) 



D 



{A\r[{B.[])]) 



Ct- {A\r[{B*D)]) 



- (\-p) 

(Contp) 
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A. 3. 2. The left premise of Rule Contp is obtained by applying Rule ContN- 



B 



r\A] I- B 



(Cont j 



i-p A\ 



r\A] I- A\B] 



(Contp 



This case may be reduced to case A. 2 by permuting the two rules as follows: 

A t- B i-p A[] 



A I- A\B] 



(Contp 



r\A] I- A\B] 



(Cont / 



B. Admissibility of Rule e2. 

B.l. The last rule of the SC-derivation is Rule \: 

Ai- B C ^ D 
(B\C)^ {A\D) 
{A*{B\ C)) 1- D 
The derivation may be transformed as follows: 



At- B 



G t- D 



-N {A.{B\[])) 



(.\-N) 



{A*{B\C)) I- D 



(ContiV; 



B.2. The last rule of the SC-derivation is Rule ContN- We distinguish between 
two subcases. 

B.2.1. The left premise of Rule Contj^ is obtained by applying Rule \: 

Ai- B C ^ D 



{B\C) {A\D) 

r[{B\c)] - (i\PT 
(A.r[{B\C)]) ^ D 
The derivation may be transformed as follows: 



(ContiV; 



A i- B i-jv T[1 I— w 



C ^ D 



3 i-w {A.r[{B\\ 
{A*r[{B\C)]) D 



— (-VN) 

(Contjv) 



B.2.2. The left premise of Rule Contj^ is obtained by applying Rule Contp: 



At- B 



A t- FIB] 



(Contp 



Z\[A1 FIB] 



(Cont / 
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This case is reduced to case B.3 by permuting the two rules: 

A t- H I— jv A[] 



Z\[A] I- B 



(Contiv) 



•-P r[] 



z\[^] - r[B] 



(Contp) 



B.3. The last rule of the SC-derivation is Rule Contp. There are two subcases. 
B.3.1. The right premise of Rule Contp is obtained by application of Rule \^-P: 

B i-p T[] i-p Z\[] 

C I- D 



{A\r[{B.A[])]) 



(\-p) 



C.- {A\r[{B*A[D])]) 



Contp 



(A*C)^ r[{B*A[D])] 
The derivation may be transformed as follows: 
C I- D I-p Z\[] 

A 



(e2) 



B 



C I- A[D] 



(Contp) 



(A»C) I- {B»A[D]) 



(•) 



r[] 



{A*C)^ r[{B*A[D])] 



(Contp) 



B.3.1. The right premise of Rule Contp is obtained by application of Rule \/-P: 

A I- B i-jv r[] I-p Z\[] ^ 

C^D I-p ir[{A/A[])]\B) 

Contp 

Cl- {r[{A/A[D])]\B) 

ir[{A/A[D])]*C) I- 5^® ^ 

The derivation may be transformed as follows: 



C I- D 



^[] 



C I- A[D] 



(Contp) 



~N 



^[] 



~N 



At- B 



-N {r[{[]/A[D])].C) 



(./-N) 



{r[{A/A[D])]*C) 1 - B 



(Contjv) 



C. Admissibility of Rule fl. This part of the proof is symmetric to Part A. 

D. Admissibility of Rule f2. This part of the proof is symmetric to Part B. □ 



5 Polynomiality 

Let A be a formula and T[] be a context. We say that T[] is a subcontext of A 
if and only if there exists a context A[] and a formula B such that A = A[T[B]]. 
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Remark that if ^ is a formula of length n then the number of subformulas of A 
is bounded by n, and the number of subcontexts of A is bounded by n^. 

We immediately obtain the following property. 

Lemma 9. The SC- derivations satisfy the sub formula/suheontext property, i.e., 
all the formulas and contexts occurring in an SC-derivation are subformulas and 
subcontexts of the conclusion of this SC-derivation. 

Proof. A straightforward induction on SC-derivations. □ 

From this lemma, we easily derive our main result. 

Theorem 10. The non- associative Lambek calculus is decidable in polynomial 
time. 

Proof. Let At- be a two formula sequent of NL^/*. By Propositions 4 and 8, 
At- 5 is a tautology of NL^/* if and only if there exist an SC-derivation of it. 
Now, by Lemma 9, any possible SC-derivation of A t- B will be made up of two 
kinds of expressions: 

— subcontexts of either A oi B, 

— sequent s of the form C t- D, where C and D are subformulas of A or i^. 

The number of such expressions is bounded by 2n^, where n is the sum of the 
lengths of A and B. Consequently, a brute force search algorithm for constructing 
a possible SC-derivation of A t- B will terminate in polynomial time if its search 
space is organised as a DAG rather than as a tree. □ 



Remark 11. Organizing the proof-search space in such a way that different pos- 
sible proofs share the sub-proofs they have in common is needed in order to get 
a polynomial algorithm. Nevertheless, the bottum-up strategy suggested by the 
proof of Theorem 10 is not the only possible way. In practice, one could prefer 
top-down strategies, such as the so-called inverse method, that take advantage 
of dynamic programming techniques. 
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Abstract. We define sequent-style calculi for nominal tense logics char- 
acterized by classes of modal frames that are first-order definable by cer- 
tain iI?-formulae and il^-formulae. The calculi are based on d’Agostino 
and Mondadori’s calculus KE and therefore they admit a restricted cut- 
rule that is not eliminable. A nice computational property of the restric- 
tion is, for instance, that at any stage of the proof, only a finite number of 
potential cut-formulae needs to be taken under consideration. Although 
restrictions on the proof search (preserving completeness) are given in 
the paper and most of them are theoretically appealing, the use of those 
calculi for mechanization is however doubtful. Indeed, we present sequent 
calculi for fragments of classical logic that are syntactic variants of the 
sequent calculi for the nominal tense logics. 



1 Introduction 

Background. The nominal tense logics are extensions of Prior tense logics 
(see e.g. [Pri57,RU71]) by adding nominals (also called names) to the language 
(see e.g. [Bla93]). Nominals are understood as atomic propositions that hold 
true in a unique world of the Kripke-style models. The nominal tense logics 
are quite expressive since not only do they extend the standard (mono)modal 
logics by adding a past operator (giving the tense flavour) but they also admit 
nominals in the language. In spite of the analogy between nominals (in the 
object language of the logic) and prefixes^ also called labels^ used in various proof 
systems for modal logics (see e.g. [Fit83,Wal90]), no proof systems for nominal 
tense logics using this conceptual similarity exist. This is all the more surprising 
because during the last years, preflxed calculi have regained some interest (see 
e.g. [Ogn94,Mas94,Gov95,Rus96,Gab96,BMV97,BG97]). 

Although designing general frameworks deflning proof systems for modal 
logics is a fundamental task, other works deal with the difficult problem of im- 
proving signiflcantly the mechanization of logics by flnding reflned properties, 
mostly proof-theoretical, that provide better complexity bounds or that allow 
the design of efficient decision procedures (see e.g. [Hud96,GHM98,Heu98]). We 
claim that the latter approach is the most promising for mechanization. As wit- 
ness, the present paper illustrates that for many nominal tense logics, it is not so 
difficult to And a general framework for mechanization as long as only qualitative 



Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 140-155, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 



Sequent Calculi for Nominal Tense Logics 141 



properties (soundness, completeness, . . . ) are investigated. 

Our contribution. For any nominal tense logic C from the class C^jo defined 
in this paper, we define a sequent-style calculus, say QC^ that is based on the 
sequent-style counterpart of the calculus KE defined in [dM94] . Our calculi admit 
a cut rule satisfying the following nice computational properties. When reading 
the proof upwards, at any stage of the construction of the proof, 

(CRl) the number of potential cut-formulae is linear in the size of the 
part of the proof constructed so far; 

(CR2) any potential cut-formula can be computed in linear-time in the 
size of the part of the proof constructed so far. 

(CR3) the size of any potential cut-formula is linear in the size of the part 
of the proof constructed so far (consequence of (CR2)); 

(CRl) means for instance that when growing the proofs upwards, if one decides 
to apply the cut rule at some stage, only a limited amount of candidate cut for- 
mulae could be useful to end the construction of the proof. The non-determinism 
of the cut rule is therefore weakened. Analycity is however not guaranteed be- 
cause new nominals shall be introduced during the construction of the proofs. 
It is known (see e.g. [Boo84,dM94]) that cut-elimination is not always a guaran- 
tee for (efficient) mechanization. The search for some analytic cut rule is often 
desirable and the calculi defined in this paper follow that fine of research. Fur- 
thermore, we take advantage of the presence of nominals in the modal language 
to use “implicit prefixes” in the proof systems. As far as we know, the idea of 
using such implicit prefixes when nominals are involved is due to Konikowska 
[Kon97]. In [Kon97], Rasiowa-Sikorski-style calculi for relative similarity logics 
are defined. Herein, we generalize the use of implicit prefixes to a class of nom- 
inal tense logics and we introduce various restrictions on the applications of 
the rules while preserving completeness. Although, for some particular logics, 
decision procedures can be obtained using the restrictions, in the general case, 
the design of decision procedures (when possible) is not straightforward from 
our calculi. It is also fair to state that the paper [Kon97] has been a source of 
inspiration in order to develop some of the ideas present in this paper. 

In the last part of the paper, we define sequent-style calculi (based on KEQ 
[d’A90]), say GFOLc^ for fragments of the classical logic such that the calculi GC 
and GFOLc can be clearly viewed as syntactic variants. This allows to observe 
that GC is first-order in nature and to explain why it is so. Moreover, it clearly 
raises the questions about the relevancy of defining calculi within a general proof- 
theoretical framework when mechanization is wanted. Apart from the technical 
results of the paper, we wish to formally illustrate why numerous calculi for 
modal logics can be viewed as an encoding into classical logic. Although this 
fact is widely recognized for particular systems, we want here to propose a more 
general picture since the class C^jo is quite large. 

Related work. Most of the proof systems designed for nominals tense logics 
are Hilbert-style ones [Bla93]. Calculi for (non nominal) tense logics can be for 
instance found in [RU71,Kra96,Heu98,BG98] but these calculi do not treat the 
nominal case and they do not consider so large a class of logics as C^^o. In 
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[DG99], display calculi for nominal tense logics have been defined and cut is 
not only eliminable but also a strong normalization theorem is established. For 
all the calculi designed in the present paper, cut (or equivalently the principle 
of bivalence) is not eliminable. Furthermore, the sequent calculi defined in the 
present paper are based on a completely different approach: we rather use the 
nominals as “implicit prefixes”. In that sense, our calculi are explicit systems 
following [Gor99] but without introducing any extra proof-theoretical device 
that does not belong to the object modal language. Furthermore, the calculi 
defined in this paper does not differ very much in spirit with those defined in 
[Rus96,BMV98]. Indeed, we associate syntactically rules to formulas defining 
relational theories. However, we are able to capture all the conditions on frames 
for the properly displayable modal logics defined in [Kra96]. We wish also to 
thank one of the referees for pointing us to [Bla98,Tza99] where tableau-style 
calculi having technical similarities with ours have been defined. 

2 Nominal tense logics 

Given a countably infinite set^ Foro = {Po? Pi? P 2 ? * * *} atomic propositions 
and a countably infinite set For^ = of names^ the formulas (j) G 

NTL(G,iF) are inductively defined as follows: (p ::= p;. | | <p\ t\ p 2 \ 

<Pi ^ <p 2 I I Gp I Hp for G Foro and G For^. Standard 

abbreviations include P. We write \p\ to denote the length of the formula 

p for some (unspecified) succinct encoding. An occurrence of the formula ^ is 
said to be a subformula of the formula p of secondary disjunctive force ^ ip is 
a sub formula of p and pj is the immediate subformula either of a conjunction in 
p of negative polarity or of an implication in p of positive polarity. We use here 
the usual notion of polarity. For instance, Pq occurs negatively in (pi Apg) ^ p^. 
A modal frame ^ = ( IF, A) is a pair such that IF is a non-empty set and R is 
a binary relation on IF. We use R{w) = {v ^ W : (tc,v) G R}. A model A4 
is a structure A4 = (IF, A, m) such that (IF, R) is a frame and m is a mapping 
m : ForoUFor^ ^ V{W) where for any i G For^, m(i) is a singleton. Let A4 = 
(IF, ii, m) be a model and w G IF. The formula p is satisfied by the world to G IF 
inM U M , to 1= </> where the satisfaction relation |= is inductively defined as 
follows: Ad, to 1= p 44^ to G tn(p), for every p G Foro UFor^; Ad, to |= Gp ^ 
for every to' G A(to), M.^w' |= p; A4jW \= Hp ^ for every to' G A“^(to), 
Ad \= p {R ^ is the converse of R). We omit the standard conditions for the 
propositional connectives. A formula p is true in a model Ad (written Ad |= p) 
44^ for every to G IF, Ad,to |= </>. A formula p is true in a frame F (written 
F \= p) ^ p is true in every model based on F . In what follows, by a logic C we 
understand a pair (NTL(iF, G), C) where C is a non-empty class of modal frames. A 
formula p is said to be C-valid ^ pis true in all the models based on the frames 

^ The metavariables for atomic propositions [resp. for nominals] are p, q, . . . [resp. 
i, j, . . .]. When p [resp. i] is subscripted by some natural number, we mean exactly 
the members from Foro [resp. from For^j. 
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of C. A formula 4> is said to be C-satisfiable is not valid. Now, we define 

the class Cjjo of nominal tense logics announced in the introduction. First, we 
need to present preliminary definitions. Here, we consider the fragment of FOL 
built using the following vocabulary: T is the logical constant; {Pfc \ k ^ u} 

is a countable set of unary predicate symbols; R and = (identity) are the unique 
binary predicate symbols; {a^ : k e uj} is a countable set^ of individual constants; 
{xfc : k e uj} U : k e uj} is di countable set of individual variables. A II i~ 
formula is a FOL-formula of the form Vxi . . . Vx^ </> where (f) is quantifier- free and 
n > 1. A iT 2 -formula is a FOL-formula of the form Vxi . . . Vx^ 3ji . . . </> 

where </> is quantifier- free and n,m > 1. A restricted U^-formula ^ is defined 
here as a FOL-formula of the form Vxi . . . Vx^ ^ ^ ^ (^i ^ ^ 2 ) where 

1. is in prenex normal form (PNF) and </>i ^ </>2 is precisely its matrix] 

2. and </>2 are formulas built upon the binary predicate symbols R, =, the 
truth logical constant T and from {xi, . . . , x^, y^, . . . , y^} (no individual 
constant occurs in </>i => <^> 2 ); n > 1; m > 0; 

3. 4>i is either the logical constant T or a finite conjunction of literals (atomic 
formulae or negated atomic formulae) where no y. occurs in </>i; 

4. (j )2 is a disjunction of conjunctions of literals. 

A nominal tense logic jC = (NTL(G, iT), C) is an element of the class C^jo ^ 
there is a set^ ^ of restricted -formulae such that C is exactly the set of 
frames satisfying each formula from ^ (in the first-order sense). The class C of 
modal frames is also said to be Cjjo-definable. The class Cjjo is quite large. By 
manipulation at the first-order level one can show: 

1. For any closed (unrestricted) iJ^-formula = Vxi . . . Vx^ 

4>2) in PNF such that the only variables in belong to 
{xi, . . . ,x^}, there exists a finite conjunction of restricted Il^-formulae 
equivalent to 

2. Every primitive first-order formula in the sense of [Kra96] is logically 
equivalent to a restricted II^-ioTmuldi. 

3. There exist Cjjo -definable classes of frames that contain only infinite 
frames (see e.g. [Bla93]). 

Expressivity of the restricted II^-ioTmuldie is also well- illustrated by the fact 
that not only are there -definable classes of frames that are not modally 
definable but also all the first-order classes of frames defined by a conjunction 
of conditions from Figure 2 and Figure 3 in [Gor99] are Cjjo -definable. All the 
first-order definable classes of frames considered in [Rus96,CFdCGH97] are C|jo- 
definable and Cjjo contains all the modal logics (in their nominal tense version) 
defined with Horn clauses from [BMV98]. Furthermore, for any nominal tense 
logic jC = (NTL(G, iT), C) such that C is first-order definable by a finite set ^ of 

^ The metavariables for individual constants [resp. for individual variables] are a, b, . . . 
[resp. X, y, . . .]. When a [resp. x and y] are subscripted by some natural numbers we 
mean exactly the members from {a^ : k ^ to} [resp. from {x^ : k G ^}U{yj^ : k G to}]. 
^ 0 should be understood as a (possibly infinite) conjunction. 
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restricted -formulae, it is known that the /^-validity problem can be translated 
into FOL- validity (using [Ben83,GG93]). However, there is no guarantee that C 
admits a proof system (based on KE for instance) such that the cut rule satisfies 
the conditions (CRl), (CR2) and (CR3) -see Section 1. In the present paper, 
the delimitations of the class 0^0 has been designed in such a way that the 
sequent calculi (based on KE) admit a cut-rule satisfying the computationnally 
nice conditions (CRl), (CR2) and (CR3) -other restrictions on the applications 
of various rules shall be introduced. Those criteria distinguish our work from 
the standard translation into FOL but other criteria are of course possible as 
done in [BMV97, Section 4] where enlighting analyses about the behaviour of 
the falsum T can be found. To conclude this section, we warn the reader that 
although C|jo is undoubtly a very large class, we ignore whether it contains any 
logic useful in practice. 

3 Sequent-style calculi for nominal tense logics 

In this section, C denotes a nominal tense logic (NTL(G, H)^C) in Cjjo character- 
ized by the set ^ of restricted il^-formulae. 



3.1 Preliminaries 

Most of the prefixed tableaux calculi for modal logics use prefixes as a compact 
way to represent sets of positive literals in first-order logic. It partly explains why 
numerous calculi can be viewed as a “clever translation” ^ into classical logic (see 
e.g. [Gen92]). For instance, in [Fit83], a prefix is defined as a (non-empty) se- 
quence of natural numbers. A sequence ii . . . G a;* (n > 1) can be understood 
(for example for the modal logic S4) as the set^ ) : 1 < m < 

m! < n} of positive literals (the a^’s are individual constants). It is therefore 
inaccurate to believe that since prefixes can be interpreted at the metalevel by 
worlds, then prefixes and nominals have the same expressive power. Actually, 
the prefixes are more expressive since the nominals do not contain any infor- 
mation about the accessibility relation. However, formulas involving nominals 
can encode first-order literals, positive and negative ones as shown below. For 
any model M = (IT, R, m), it is easy to show that ii ^ G^i .2 is true in M 
iff (m(ii), m(i 2 )) ^ R. So, ii ^ can be used as a negative literal. What 

seems to be lost here, is a conciseness of the representation: each literal is repre- 
sented by one nominal tense formula of the same length (modulo some constant) 
and it is the approach chosen in the calculi defined in Section 3.2. However, 
since we are dealing with logics whose satisfiability is NP-hard, the following 
argument shows that conciseness is a secondary issue for mechanization. Indeed, 

^ [BG97] is one of the rare papers where such a relationship is explicitly recognized. 

^ Since (jo* and (jo have the same cardinality, without any loss of generality, we can 
assume that the individual constants and the nominals are respectively of the form 
and ±a where <j G . 
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let ii * * * be a (non-empty) sequence of natural numbers representing a set X 
of first-order positive literals subset of {R( ) : TO,m' e {1, . . . ,n}} 

(it depends on the modal logic we consider but let us treat the general case). 
The length of ii . . . say |ii . . . , is naturally defined as the sum of the length 

(in binary writing) of each natural number occurring in ii . . . For instance, 
^ ^ and card(X) < n^. Let 4>x be the following nominal tense formula 



AR(c 



)6A 






that encodes the prefix i\ 



(or 



equivalently that encodes X). The generalized conjunction /\ should be here 
understood as an abbreviation for a certain amount of binary conjunctions. \4>x\ 
is in 0{\ii . . .in\^) and therefore, if a formula </> has a proof 11 with the “concise 
representation” of the positive literals, then </> has a proof il' with the repre- 
sentation of literals “in extension” where |il'| is in 0(|il|^). The length of the 
proof ii, denoted |ii|, is defined as the number of nodes in the tree. In a more 
general setting, it would be necessary to use a more refined definition of proof 
complexity which takes into account the length of proof steps. Since the calculi 
involved in the paper use a very restricted cut-rule (the size of the cut-formula 
is linear in the size of the conclusion), our definition is sufficient for our needs. 
As no subexponential algorithm for any NP-hard problem is known, such a cu- 



bic overhead {\4>x\ ^ ^{\h 



^)) is not so significant (even in the worst-case) 



when dealing with NP-hard problems (and a fortiori with PSPACE-hard prob- 
lems). Of course, this is highly significant to establish tight complexity upper 
bounds as done in [Hud96]. In [Kri63,CFdCGH97] and [Heu98, Chapter 4], some 
of the graphical representations of the sets of (positive) first-order literals enjoy 
some conciseness property comparable to the one for prefixes. 



3.2 Definition 

The basic syntactic objects in the calculus are sequents. A sequent is an expres- 
sion of the form V \~ A where V and A are finite multisets of nominal tense 
formulae, i.e. unordered collections of formulae that may contain several occur- 
rences of the same formula. We write f for {</>} and let “,” denote the multiset 
union. The length of the sequent X h Z\, denoted \F h Z\|, is the sum of the 
length of each element from X, A. The sequent calculus, say CX, for the logic 
C contains the rules in Figures 1-3. Other rules depending on X are presented 
when needed. In Figure 2, the rules (refl), (syrn) and (trans) encode properties 
of identity (refiexivity, symmetry and transitivity). Similarly, the rules [sub h) 
and (h sub) (“sub” stands for substitution) encode that identical terms can be 
substituted. The (start)-rule has a special status since in any proof, this rule 
is applied exactly once, at the root (with the forthcoming restriction (Ustart))- 
This initiates the introduction of nominals that behave as prefixes. Observe that 
i => </> is X- valid iff f is X-valid when i does not occur in 

We continue here the definition of GjC. Let <7 be a finite sequence of formulas 
of the form i ^ j, i ^ i ^ , i => Those formulae precisely “en- 

codes” positive and negative first-order literals whose (binary) predicate symbol 
is either = or R. We define the sequent (X h A) G a inductively on the length 
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(initial sequent s) 



h i ^ </> 



(start) 



For the (start)-ru\e, i does not occur in (f>. 



Fig. 1. Initial sequents and the rule (start) 



of a as follows (A denotes the empty string and 0 is simply an operator that 
inserts formulae in sequents): 



- (i> Z\)0 A = Z\; 

- (i' h Z\) 0 (i ^ (i', i ^ j h Z\) 0 (j'; 

- (i ' h Z\) 0 (i => ) .a' = (i i => G^j h A) 0 a'] 

- (i' h Z\) 0 (i => (i' h Z\, i => j) 0 O''; 

- (i ' h A) 0 (i => ^G^j),(7' = (i' h Z\, i => 0 o"'. 



Let ^ be a restricted II^-ioiiOLmldi of the form 



Vxi, 



3yi, 

,k 



ipi( 1 ) A A pAo)/ Ko) ^Ao)\ 

^'^ 0^0 01 , O02 , O ; '^0 ^0 01 , 0 ? ^ 2,0 J 






where 



1. each F- belongs to {=jR}; each sf belongs to {A^ ^}; 

2. each zf ^ (l<a<2, !</?< ^(0)) belongs to {xi, . . . jX^}; 

3. each • (l<Ck;<2, !</?< l(i)) belongs to 

We shall now define the (i/>)-rule that mimicks the syntactic structure of 'ip. For 
any i, j G For^, for any 5, 5 ' G {A^ such that s ^ s' and for any F G {=jR}, 
let us define the formula F(sFy j) as follows: 



F(sF, 



i ^ s'G^j if P = R; 
± ^ sj otherwise. 



Roughly speaking, a literal sF(xk^ ) in 1 /? shall be encoded by P(sP, ±kAk )• 
For any formula pj in we add the (i/>)-rule in Figure 4 to GC. The conditions 
1. and 2. in Figure 4 relate the (i/>)-rule with the structure of pj (without taking 
care of the variables). Condition 3. (a) roughly states that each variable occur- 
ring in pj corresponds to a unique nominal in the application of the (i/>)-rule. 
Condition 3.(b) states that the nominals corresponding to the y-’s are new on 
the branch. The (i/^)-rule can be viewed as a generalization of the “p-rule” in 
[Bal98] and of the “Horn relational rule” in [BMV97,BMV98]. More generally, 
the (t/^)-rules merely encodes the logical consequence relation of the first-order 
relational theory of C (as also done in [Gen92]). Furthermore, since the definition 
of the (^)-rules is purely syntactic, it is not guaranteed that for logics £, C' in 
C|jo characterized by and F respectively, if and F define the same class of 
frames, then GC and GC have exactly the same rules. 
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^ 4>\- A 1' \- A,± ^ T, i ^ h Z\, i ^2 . . 

T h Z\, i ^ —1^ T, i ^ —1^ \- A r \- Z\, i (^1 ^ 2 ) 

7;i ^ ^ 1 , i ^ ^2 I- . T h Z\, i ^ ^ 1 , i ^2 . . 

7 j i ^ 1 , i => (^1 ^ (f)2) \~ A T, i (^1 ^ ^ 2 ) 1“ 4\, i ^2 

7;i^^hZ\, 7;i^V^hZ\, 

T, i ^ ^ h Z\, i ^ A t/j) ^ T, i ^ t/j h Z\, i ^ A t/j) ^ 

T, i =» Cy; J ^ V) h Z\, i ^ j r h Z\J ^ V^.i ^ C^j 

T, i CV^ h Z\, i C- j ^ ^ T h Z\, i ^ CV^ ^ ^ 

TJ ^ h Z\,i ^ C^j, T h Z\J ^ V^J ^ 

TJ ^ iLV^ h Z\, i j ^ T h Z\, i ^ iLV^ ^ ’ 

in (h 77) and (h C), j does not occur in the conclusion 



I", 

7^, i ^ j , i' ^ j h Zi 

7^^ i ^ t/j h Z\, i' ^ t/j, i ^ i' 
7^^ i ^ t/j h Z\, i' t/j 



{NOM= h) 



(h NOM=) 



rA^GjjA^ \- A A' ^ 'ip 

1 ]± ^ G% 1 ) h Z\, i' ^ t/j 

7 i ^ j h A,^ j.' =^ C— I j , (j— li 

7 i ^ j h Zij 

r,±^ Hjj, ±' ^ G^± \- A,±' 

Fa ^ H'^l^ \- A a' ^ 

FA^ AA' ^ H^F i ^ 

T, i ^ j h Z\, i' ^ 77-j 



{NOMg h) 



(h NOMg) 



{NOMh h) 



(h NOMh) 



l',i^i\- A ^ i ; j ^ i, i ^ j I- Zi i ; i ^ k, i ^ j, j ^ k h Zi 

m — j (refl) : — : (syrn) : — (trans) 



r,i^ 4>A ^ ^ 4>^ ^ , , , . C i ^ j I- ^,i ^ </>, j ^ <A 

— — (sub h) ^ ^ (h sub) 

Fa^ 3A=>4>^^ FA^j\-A3^4> 

^ 0 ^ j A ^ i ^ ^^3 ^ ^ / 1 f \ \ 



-^ '. j ^ j . i ^ G-. j h Zi 

j ^ j' l~ G-'j, i ^ G-'j' 
J^',3 ^ j' I" i ^ G-.J 



(h sub') 



Fig. 2. Common core of (introduction) rules in GjC 
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r \- A^± ^ ^ Fa ^ ^ ^ A 

TTa 



{FB) 



Fig. 3. Principle of bivalence 



{F \- A) (S) <7i 



(rh zi) ^ <jfc 



(rh zi) ^ <7o 



(V>) 



1 \ >Y*(0)pf(0) .1(0) .i(0)v 

-*-• ^ (,50-T^o ? ll, 0 ? l 2,0 j) ' ' ' ) ^ v *^0 -^0 >^ 1,0 7^2,0/5 

2. for 1 < u < fc, (Tu = ao.B\siF^,il^^, ij,^) 

3. for any a, a' G {1, 2}, q,q' G {1, . . . , k}, r G {1, . . . -K^)} r' G {1, . . . 

(a) 2:^,5 = 2 ^ iff ii ;,5 = ,9 ; 

(b) if zl,^q is equal to some y^, then ^ does not occur in the conclusion. 



Fig. 4. (^)-rule for ^ G ^ 



Example 1. Let = (NTL(G, iL)^ C^) be the nominal tense logic such that 
^ = {Vx,y R(x,y) ^ ^(x=y)jVxjy ^(x=y) ^ R(xjy)}. The tense operators G 
and H are actually equivalent and G is merely the difference modal operator 
[y^]. The rules of GjC^ are those in Figures 1-3 plus the rules defined from F: 

F h A,± ^ jG ^ Fh A,± => G^j,± => j 
F h Z\, i => G^j F h Z\, i j 

A proof 11 in GC is a tree whose nodes are labelled by sequents satisfying the 
following conditions: the topmost sequents of il are initial sequents and every 
sequent of il, except the lowest one is an upper sequent of an inference whose 
lower sequent is also in FI. A formula 4> is provable in GC 44^ there is a proof 
11 in GC such that h </> is the lowest sequent of 11 . 



3.3 Soundness, restrictions and completeness 

Lemma 1. Let F \- A be a sequent provable in GC. Then, for any C-model M, 
for all fj e F , fj is true in A4 implies that f' is true in M for some </>' G Z\. 

The proof is by induction on the length of the derivation. It is more standard 
to prove soundness by using the notion of satisfiability in a model rather than 
the notion of truth in a model as done here. 

Theorem 2. If f ^ NTL(G^jii) is provable in GC, then f is C-valid. 

The system GC is not minimal since for instance, the (h NO M=)-Tule, the 
{NOMjq h)-rule and the {NOMg F)-rule are derivable from the rest of GC. 
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These rules are included for the sake of symmetry. The system GC is considerably 
improved for the mechanization by imposing the restrictions (Rinit): (Rstart): 
(^=)5 (^-^no—renamAng')^ {^^-'sub ) S'Hd i^Rr,p^ for G ^ 

defined below. In the rest of the paper, by QC, we mean the calculus with such 
restrictions. First, any nominal j that occurs on a branch of a (possibly partial) 
proof whose root is labeled by </> is a p-name (standing for “implicit prefix”) ^ 
j has been placed on the branch by application of a rule that introduces new 
nominals. The notion of p-names is similar to that of Skolem constants. 

— (Rinit) for tbe initial sequent is: any occurring in i ( i => h Z\, i => 

is of the form j ^ where j is a p-name, \p" is either a subformula of 
f (syntactically) equal to an atomic proposition in the case when j ^ 
^" = i ^ ^ or a p-name, or a nominal occurring in the root sequent h f 
or a formula of the form with j' a p-name. 

— (Rstart) for the {start)-iule is: f is not of the form j ^ where j is a 
p-name. 

— (R=) concerns the rules (refl), {sym), (trans), (h sub) and {sub h): all 
the names j ^ k are p-names. 

— {Rno- renaming) is: in (h G) and in (h L/ ) ^ is not a negated p-name. 

— {Rpb) is: i is a p-name and is either a sub formula in f of secondary 
disjunctive force or Gmj with j a p-name or a p-name j. 

— {Rnom) concerns the rules (h NOM=), {NOM= h), (h NOMg), 
{NO Mg F), (h NOMh), {NOMp h): i and i' are p-names whereas 
j is not a p-name. 

— {Rwitness) concerns the rules {G h) and {H \~): i and j are p-names. 

— {Rsub ) is: in the {sub' h)-rule and the (h 5u6')-rule, i, j and j' are p- 
names. 

— The restriction {R^p) for the (^)-rule for ^ G ^ is: all the nominals occur- 
ring in (Jo are p-names. 

The sequent calculus GC (in its restricted form) has the following separation 
property: any p-name i occurring in a branch does not occur in a formula j => 
occurring on the same branch, except when either j = ± or ip = GM ot ip = ±. 
This separation property illustrates the control on the use of nominals imposed 
by the above restrictions. 

Theorem 3. //</> G NTL(f?, L/) is C-valid, then <p is provable in GC. 

The proof of Theorem 3 (using Schiitte’s method) is based on a similar proof 
for classical logic. In Section 4, we formally state in which sense GC is equivalent 
to a calculus for a fragment of classical logic. 

4 Sequent calculi for fragments of classical logic with 
relational theories 

In this section, we define a first-order Gentzen-style calculus GFOLc (based 
on the calculus KEQ [d’A90, Section 3.5]) such that GC and GFOLc can be 
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viewed as syntactic variants. This is the opportunity to formally present (once 
and for all) how a tableaux calculus can be viewed as a translation into clas- 
sical logic. Let us briefly recall the translation ST (“Standard Translation”) 
deflned in [Ben83,GG93] of nominal tense formulae into the first-order language 
(here t is either a variable or a constant): ST{ipj^t) = Pj(t); ST{±j^t) = 
t=a,; = -5T(^, t); ST{ij 0 <P\t) = 5T(^, t) 0 ST{<P\t) for 0 G 

ST(Gipyt) = V x' (R(tjx') => ST{ipyx')) where x' is a new variable; 
ST{Hipyt) = V x' (R(x'j t) ^ ST{ipyx')) where x' is a new variable. It is known 
that (p is £-valid iff ^ ^ Vxq ST{<P.^xq) is FOL-valid. The previous statement 
assumes that ^ is a finite conjunction. By contrast, the developments in this 
section does not assume that T is finite. The rules of the calculus GFOLc are 
those presented in Figure 5 - Figure 6 (other rules are added later on). Like the 
notion of p-name in GC^ an individual constant a occurring on a branch is said 
to be a p- constant (or Skolem constant) a does not occur in the root sequent 
of the proof (possibly in construction) and it has been introduced on the branch 
by a rule putting new constants on the branches. We write ^(a^) [resp. '(/)(x)] to 
denote the formula whose a/^ is a p-constant occurring in it [resp. whose x is a 
free individual variable occurring in it.]. 



TS h 0 (initial sequent s) 



under the proviso: any formula in is (1) either a subformula of 

Vxo ST{(f)^ xo) where a is the unique p-constant in {^i) and in the case when 0 = 0", 
0 is atomic (2) or a formula a=b where a is a p-constant and b is either a p-constant 
or a constant occurring in Vxo 0T(0, xo) (3) or a formula R(a, b) where a and b are 
p- names. 



T h 0 T, 0 h Zl 

TTa 



{FB) 



where either 0 is a formula of secondary disjunctive force occurring below in the proof 
containing a unique p-constant or 0 is of the form or R(afc, ^k ) where a/e and 

a/e are p- constants. 

h0T(0, aO 

hVxo 0T(0xo) 

the application of (start) is under the proviso that a^ does not occur in ST((p^ x) (or 
equivalently, ±k does not occur in 0) and Vxo ST(S^xo) does not contain p-constants. 



Fig. 5. First bunch of rules for GFOLc 



For instance, the rules (V h)i and (V 0)2 can be seen as derived rules in the 
calculus KEQ [d’A90] using the rules from KEQ recalled below 
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c>Vx 4>{x),4>{a.) h z\ r,4>i,4>2,\- A 
r^Vx 4>{x) \- A r,4>i,4>i => 4>2t\- A 

This explains why the universal quantification in modal logic can be naturally 
encoded in KEQ . 

Let O' be a finite sequence of formulas of the form R(a, a'), -iR(aja'), a=a', 
^(a=a'). We define the sequent (T h Z\) 0^ o' inductively as follows: 

— (i> Z\) 0' A = Z\; (i> Z\) 0' a=aba' = (i>=a' h A) 0' a'; 

— (i ' h Z\) 0' ^R(a^ a'). a' = {!' \~ Z\, R(a^ a')) 0' a'; 

— {r \- A) 0' ^(a=a')*o-' ' b Ay a=a') 0' o''; 

— (i ' h A) 0 ' R(a, a')*o-' (i R(a^ a') h A) 0 ' o''. 

Let ^ be a restricted il^-formula in ^ (we use the notations from Section 3). 
The rule associated to is presented in Figure 7. 

By construction, the calculi GC and GFOLc have (almost) the same amount 
of rules and there is a natural correspondence between the rules of GC and 
GFOLc- For instance, the (V h)i-rule in GFOLc correspond to the {G h)-rule 
in GC and the {sub h)-rule and {sub' h)-rule in GC correspond to the {subfoi)- 
rule in GFOLc. 

Let (p e For and il be a proof of Vxq 0T(</>,xq) in GFOLc- By induction 
on the length of LI one can show that any formula pj occurring in II has at 
most two p-constants occurring in it. Moreover, if pj is not an atomic formula 
whose predicate symbol is binary, then exactly one p-constant occurs in pj unless 
pj is the root formula Vxo6'T(</>, xq) itself. This is reminiscent of the facts that 
in standard modal logic, one can deal with only one world at a time and two 
individual variables are sufficient for encoding the quantification □ in first-order 
logic. Theorem 4 below helps understanding the relationships between GC and 
GFOLc- 

Theorem 4. (I) Let II he a proof of <p in GC. Then, there is a proof 11' of 
Vxo ST{(pyXo) in GFOLc such that \11'\ is in 0(|ii|). 

(II) Let 11 he a proof of Vxq 0T(</>,xq) in GFOLc for some nominal tense 
formula (p. Then, there is a proof 11 ' of (p in GC such that \ 11 '\ is in 0(|ii|). 

5 Concluding remarks 

The results of the previous sections can be extended to the polymodal case. 
Indeed, it is easy to consider for some countable set 1 of “modal terms”, the 
family {<0^ : i G I}U{Hi : i G /} of tense operators by appropriately considering 
polymodal Kripke models. The class Clj 2 is defined as the class of polymodal 
logics such that the class of frames is determined by a (possibly infinite) set of 
restricted il^-formulae over the vocabulary containing {R^ : i G /}. This exten- 
sion does not generate any new technical problems and it is quite powerful as 
shown below. Let 1 q = {cq, * * * , c^, . . be a set of modal constants and 1 be the 
set of modal terms t inductively defined as follows: t ::= id | | — t | 
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rh A, ^ 4 > 



A 



i \ ^ <i> 2 ^ A 



i_x 7;^i I- A,(j)2 

1 ' h Z\, (f>i (j)2 

r \- A, (f>i, 4>2 . 

1] 4>i ^ 4>2 ^ A, 4>2 ^ 



A, jj A, (j> A 



AR(a, b)?Vx (R(s 



^W)A(b) ^ ^ 



AR(a,b)?Vx (R(a, x) ^ ^(x)) h A 



1 \ R(b, a), Vx (R(x, a) ^ ^(x)), ^(b) h A 



1 \ R(b, a) Ax (R(x 



^(x)) h Zi 



7;R(a,b)A A<^(b) 7 ;rA a)A A<^(b) 

7 ' h Z\ Ax (R(a, x) ^ ^(x)) ^ 7 ' h Z\ Ax (R(x, a) ^ ^(x)) ^ 



under the proviso that b does not occur in the lower sequent. 



7 3iki =3ik y 3ik2 =a/e J 3iki =3ik2 ^ ^ 
A 3 iki = 3 ik y 3 ik 2 h A 

rA(afei) h A,'ip{aik2)j^ki=3ik2 



{NOML h) 



rA(afei) h Z\A(afe2 



(h NOML) 



7 Ax(R(afei 



• t/)(x)) h Z\, V"(afe 2 ) A(afei , afe 2 



7 ; Vx(R(afei , x) ^ t/)(x)) h Z\, V"(afe2 
A a/ei =afe , R(afe2 , a^i ) h Z\, Vx(R(afe2 , x) ^ - 



{NOM'g h) 



■i(x=afe)) 



Aafei=afe h Z\Ax(R(afe2, x) ^ -i(x=afe)) 

A Vx(R(afei,x) V^(x)) h Z\A(afe2)A(afe2>afei 



(h NOM'g) 



AVx(R(x,afei) ^ V^(x)) h Z\A(afe2) 

7 ; afei=afe,R(afci, afe2) h Z\Ax(R(afe2 , x) ^ -i(x=afe)) 

7 ;afei=afe h Z\Ax(R(x, afe2) ^ -i(x=afe)) 



(NOM'h h) 



(h NOM'h) 



in the above rules, a/ei and afe2 are p-constants and a/e is not a p-constant. 



7 a=a h A 

FhA 



. occurs in A A 



7 ; a=b, b=a, h Zi A a=b, b=b', a=b', h Zi 



A a=b h A 



A a=b,b=b' h Zi 



i’,a=b h Zi, </>(a),V>(b) i a=b, V>(a), V>(b) I" ^ , , .. 

i’,a=bhA^(a) r,a=b,^(a)hA 



In the above rules, a, b and b' are p-constants 



Fig. 6. Common core of (introduction rules) for GFOLc 
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(T h Zi) (g)' <7i ... (T h Zi) (g' <7fc 

(l'\- A) g)' <7o 



(V>) 



1 . (To = SqPo (a}_oi ^ 2 ,o)i ■ ■ ■ I ^ 2 ,?) S'!! the constants in ao are 

p- constants; 

2 . for 1 < u < k, ay, = (Xo-^PtiCa},,., . . • , 

3. for any a, a' G {1, 2}, q,q' G {1, . . . , k}, r G {1, . . . Z(g)} and r' G {1, . . . Z(g')}, 

(a) 2:^,5 = 2 ^ iff 

(b) if zl,^q is equal to some y^, then ^ does not occur in the conclusion. 



Fig. 7. (t^)-rule for G ^ 



t“^ I ti U t 2 I ti n t 2 I ti o t 2 for G io- We wish to interpret the 

operators — , U, H and o and the identity constant id as in the Relation 

Calculus. Although it is known that the Relation Calculus can be translated in 
classical logic, surprisingly, we can also capture such a semantics in our frame- 
work using only restricted II 2 -formulae. So, by using our framework we can deal 
with nominal (poly) tense logics admitting the operators — , fl, U, o and this is 

done uniformly® (this list of operators is not exhaustive). By contrast, in [Bal98, 
Chapter VI] , only the operators U and o and the constant id are treated. 

In this paper, we defined sequent calculi for nominal tense logics. The idea of 
using “implicit prefixes” in the calculi, due to [Kon97], allows a great fiexibility 
and we have been able to consider most of the classes of modal frames first-order 
definable that can be found in the literature. Using standard correspondences, it 
is easy to define tableaux calculi for nominal tense logics from our sequent-style 
calculi. Extensions of the calculi to cope with the logical consequence relations 
are also possible. Moreover, by appropriately modifying the {start)-iule, one can 
deal with finite configuration in the sense of [Rus96, Chapters 2 and 3]. Similarly, 
prefixed calculi (either sequent-based or tableaux-based) could be easily defined 
for the corresponding (non nominal) tense logics. Because of lack of space, such 
developments are omitted here but they are not difficult to derive from the 
present paper. Similarly, the design of decision procedures from our calculi was 
out of the scope of this paper but it is a question worth being investigated in 
the future. 

The adequateness of our framework for mechanization cannot be stated with- 
out further investigations although it seems theoretically appealing (see for in- 
stance in Section 3.3 how the application of rules can be restricted). There is no 
reason to be overly optimistic since we have shown that the non prefixed sequent 
calculi are syntactic variants of restricted calculi for classical logic (augmented 
with relational theories). This property is shared by numerous calculi from the 
literature. As a conclusion, it is an open question whether any general frame- 
work defining sequent-style proof systems for modal (or nominal tense, ...) logics 
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Numerous description logics can be also treated within our framework 
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characterized by first-order definable classes of modal frames (take for instance 
C|jo) is bound to define syntactic variants of calculi for fragments of classical 
logic augmented with relational theories. 
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Abstract. We define cut-free display calculi for nominal tense logics ex- 
tending the minimal nominal tense logic (MNTL) by addition of primitive 
axioms. To do so, we use a translation of MNTL into the minimal tense 
logic of inequality (MTL^) which is known to be properly displayable by 
application of Kracht’s results. The rules of the display calculus <5MNTL 
for MNTL mimic those of the display calculus <5MTL^ for MTL^ . Since <5MNTL 
does not satisfy Belnap’s condition (C8), we extend Wansing’s strong 
normalisation theorem to get a similar theorem for any extension of <5MNTL 
by addition of structural rules satisfying Belnap’s conditions (C2)-(C7). 
Finally, we show a weak Sahlqvist-style theorem for extensions of MNTL, 
and by Kracht’s techniques, deduce that these Sahlqvist extensions of 
(5MNTL also admit cut-free display calculi. 



1 Introduction 

Background: The addition of names (also called nominals) to modal logics has 
been investigated recently with different motivations; see e.g. [Orlo84,PT85,Bla90]. 
A name is usually understood as an atomic proposition that holds true in a 
unique world of a Kripke model. Most of the time, the addition of names is in- 
tended to increase the expressive power of the initial logics. For instance, there 
is a tense formula with names that characterises the class of irreflexive frames 
[Bla93] although there is no such formula without names. Another remarkable 
breakthrough due to the inclusion of names is the ability to define the intersection 
operator (see e.g. [PT91]) although it is known that intersection is not modally 
definable in the standard modal language [GT75]. Adding the difference operator 
[y^], which allows access to worlds different from the current world, is another 
way to obtain names (see e.g. [Koy92,RiJ92,Ven93]). As far as expressive power 
is concerned, adding [y^] is more powerful than adding only names: in [GG93], 
the relationships between names and [y^] are fully established with respect to 
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definability. So most of the literature for modal logics with names concerns their 
expressive power, decidability, complexity (see e.g. [Bla90,Rij93,GG93,PT91]) 
and Hilbert-style systems [Bla90,PT91,Ven93,Rij93]. 

Display Logic: Display Logic (abbreviated by DL) is a proof-theoretical frame- 
work due to Belnap [Bel82] that generalises the structural language of Gentzen’s 
sequents by using multiple structural connectives instead of Gentzen’s comma. 
Display calculi enjoy various nice properties. The first is that any display cal- 
culus that obeys eight simple conditions C1-C8 (see the appendix) also enjoys 
a cut-elimination theorem [Bel82]. The second is that, in the rules introducing 
logical connectives, the principal formula is alone as an antecedent or succedent, 
thereby giving a clear definition of the introduced connective. Consequently, in- 
teractions between logical connectives are reduced to a minimum. All of this is 
possible because any occurrence of a structure in a sequent can be displayed 
either as the entire antecedent or as the entire succedent of some sequent struc- 
turally equivalent to the initial sequent. 

Our contribution: We define cut-free display calculi for two classes of exten- 
sions of the minimal nominal tense logic (MNTL) [Bla90], by addition of two types 
of primitive axioms in the sense of [Kra96]. These display calculi break (C8). We 
extend various results for displayed tense logics (including strong normalisation) 
from [Wan94,Kra96,Wan98] to nominals. Our main contribution is to show that 
Belnap ’s condition C8 can be weakened while preserving cut-elimination. 

We first define the basic display calculus 4MNTL by using a natural translation 
from MNTL into MTL^, the minimal tense logic augmented with the difference 
operator. Indeed, MTL^ is properly displayable in the sense of [Kra96] thanks to 
the Hilbert-style axiomatisation given in [Rij92] (see also [Seg81,Koy92]). The 
rules for ^MNTL mimic those of ^MTL^, the display calculus for MTL^. We prove 
soundness of 4MNTL by showing that the rules preserve MNTL- validity. We prove 
completeness of ^MNTL by showing that ^MNTL can simulate the rules of the 
Hilbert-style calculus I“mntl for MNTL given in [Bla90] . Cut-elimination cannot be 
proved via that proof because cut is needed to simulate the modus ponens rule. 

An interesting (and at first glance very unpleasant) feature of ^MNTL is that it 
does not satisfy the condition (C8) [Bel82] which is crucial for the cut-elimination 
proofs from [Bel82,Wan98]. We show that the failure of (C8) is caused by the in- 
troduction rules for nominals and then show a limited cut-elimination theorem 
by observing that one of these rules is not really necessary. By appropriately 
modifying a proof from [Wan98], we then prove a strong normalisation theorem 
for any extension of ^MNTL obtained by the addition of structural rules satisfy- 
ing the conditions (C2)-(C7) from [Bel82] (condition (C8) only makes sense for 
logical rules). From a technical viewpoint, we have modified the definitions of 
parametric and principal moves to view a sequent in a proof as its equivalence 
class with respect to structural equivalence. Consequently, a display postulate 
inference in a proof does not add to the size of the proof. This can be generalised 
for any invertible structural rule with a single premiss. 

We then have to make a connection between axiomatic extensions of I~mntl 
and corresponding extensions of ^MNTL obtained by adding structural rules a 
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la Kracht [Kra96]. Since ^MNTL is based upon ^MTL^, we proceed via axiomatic 
extensions of the Hilbert-style calculus for MTL^. Many such extensions of 
MTL^ require the powerful (and sometimes redundant) irreflexivity rule (see e.g. 
[GabSl]) and, unfortunately, the corresponding rule in DL lacks various nice 
properties of standard display calculi. Although it is not always known when the 
irreflexivity rule is really needed, it is not needed in the axiomatisation of 
MTL^. We therefore prove cut-elimination and completeness of ^MNTL with respect 
to primitive axiomatic extensions of Hmtl^ which do not require the irreflexivity 
rule, by backward translation (Theorem 14). These primitive axioms possibly 
contain the difference operator^ which is foreign to MNTL. 

Finally, although many extensions of MNTL are not canonical [Bla90], we show 
a weak Sahlqvist-style theorem for nominal tense logics. This allows us to define 
cut-free display calculi for any extension of \~mTL by addition of another class 
of primitive axioms using only the language of MNTL, and hence without the 
difference operator. Furthermore, we can characterise the semantical extensions 
of MNTL which correspond to these calculi. 

Related work: Existing proof systems for nominal tense logics [Bla90,Bla93] 
or for modal logics with the difference operator [Seg81,Koy92,Rij92,Ven93] are 
mostly Hilbert-style. And although the prefixed tableaux defined in [BD97] for 
several modal logics with the difference operator give decision procedures, a cut 
rule present in these calculi is not eliminable in many cases (for reasons similar 
to those that apply to calculi from [dM94]). Gentzen-style calculi for similarity 
logics with names have been defined in [Kon97] where the nominals play the role 
of prefixes in an elegant manner. These calculi contain no prefixed formulae as 
such since the language of the logic already contains names. 

Our treatment of nominals in ^MNTL is different since we instead use the 
double nature of a nominal: as atomic proposition i and as necessity formula 
In that sense, it is similar to the treatment of atomic propositions in 
display calculi for intuitionistic logic in [Gor95]. In [Bla98,Dem99], sequent cal- 
culi for nominal tense logics are given in which the nominals roughly play the 
role of labels. Cut- free display calculi have also been defined for substructural 
logics (see e.g. [Gor98]) and for modal and polymodal logics [Wan94,Kra96]. In 
[Ven93], a Sahlqvist theorem for tense logics with the difference operator has 
been established for calculi with the irreflexivity rule (see also [Rij93]). 

Plan of the paper: In Section 2, we recall the definitions of the logics under 
study [Bla90,Rij92,Ven93]. In Section 3, we define the cut-free display calculus 
^MNTL for MNTL, show its completeness and prove a (weak) cut-elimination the- 
orem. In Section 4, we prove a strong normalisation theorem for any reasonable 
extension of ^MNTL although ^MNTL does not satisfy Belnap’s condition (C8). In 
Section 5 we establish a weak Sahlqvist-style theorem and, by using [Kra96], 
define cut-free display calculi for extensions of MNTL. Space limits preclude de- 
tailed proofs, but these can be found in the full version [DG98a]. Belnap’s eight 
conditions, and our weaker version of (C8), can be found in the appendix. 




158 Stephane Demri and Rajeev Gore 



2 Nominal Tense Logics 

Given a set PRP = {po,Pi,P 2 , • • •} of atomic propositions and a set NOM = 
. .} of names^ the formulas <j> G NTL(G,iJ, [7^]) are inductively defined 
as follows for pj G PRP, ^ NOM: 

(j) ::= T I _L I p_^- I I (pi A (p2 \ <Pi'^ <p2 \ <Pi^ <p2\^<P \ ti<p\ G<p\ [^]<p 

Standard abbreviations include (7^), F. For instance F(p = ^G^(p. 

For any sequence OP from {H,G, [7^]}, we write NTL(OP) to denote the frag- 
ment of NTL(G, [7^]) with the unary modal operators from OP. Similarly, TL(OP) 
denotes the fragment of NTL(OP) with no names. In the rest of the paper, we study 
logics whose languages are strict fragments of NTL(G, H, [7^]) (the whole language 
contains all that we need in the paper). For any <p G NTL(G, iJ, [ 7 ^]), we write 
dg{(p) to denote the degree of <p\ that is the number of occurrences of members of 
PRPUN 0 MU{T,_L}U{- 1 , A, [ 7 ^]}. For instance dg{F^ (io V-ipi)) = 6 . 

A modal frame ( IF, R) is a pair where IF is a non-empty set and R is a 
binary relation over IF, with the converse of R. We write Fr for the set 
of all modal frames and use R{vj) {t? g IF : {w,v) G R}. A model is a triple 
(IF, R^ m) such that (IF, R) is a frame, V{W) is the set of all subsets of IF, and 

m is a mapping rn : PRP U NOM — V{W) where for i G NOM, m(i) is a singleton. 

Let M = (IF, R, m) be a model and u? G IF. As usual, the formula <p is 
satisfied by the world vj e W in M S fi/l^w \= <p where the satisfaction relation 
1= is inductively defined as follows: 

tc 1 = p S tc G ^Ti(p), for every p G PRP U NOM; 

M,w 1 = G(p ^ for every v G R{w), M,v \= (p; 

M,w 1 = H(p ^ for every v G R~^{w), M,v |= 

M,w\=[^]<P ^ for every i; 7^ tc, A 4 , v 

We omit the standard conditions for the propositional connectives and the 
logical constants. A formula <p is true in a model M (written M <p) ^ for 
every tc G IF, Ad^w \= (p. A formula (p is true in a frame F (written F |= (p) 
^ (p is true in every model based on F. By a logic L we understand a pair 
(L,C) consisting of a language L C NTL(iL, G,[A\) a nonempty set of frames 
C C Fr. A formula ^ G L is C-valid ^ (p is true in all the models based on the 
frames in C. A formula ^ G L is C-satisfiable ^<p is not i 3 -valid. 

The minimal nominal tense logic is MNTL = (NTL(iL, G), Fr). The minimal 
tense logic of inequality is MTL^ = (TL(G, H, [ 7 ^]), FV). Moreover, for any formula 
(p of some language L C NTL(F, G, [ 7 ^]) with names [resp. without names], we 
write NTL^ [resp. TL^] to denote the logic (L, {F G FV : F |= (p}). 

By a universal modality [resp. existential modality] a, we mean a (possibly 
empty) finite sequence of elements from {G,iF} [resp. {F, F}]. We write to 
denote the axiomatic system defined in [Rij93, pp. 36-37] for MTL^. We write 
Fmntl for the smallest subset of NTL(G,iF) closed under modus ponens^ closed 
under necessitation for G and F, and containing every formula of the form 
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- the tautologies of the propositional calculus; 

- A G(j>) ^ G^j; A H(j>) ^ (j> ^ HF(j>; (j> ^ GP(j>; 

- ± A (j) ^ a{± ^ (j)) where i G NOM and a is any universal modality. 

We write h t/; to mean that is derivable in the Hilbert-style calculus h. We 
write h + 0 to denote the minimal extension of the axiomatic system h by 
adding all formulae of the form <j> (thus (p is just an axiom schema). 

Theorem 1. [BlaOO] Any (j) G NTL(iL, (C) is MNTL-vaM 

3 A Display Calculus for MNTL 

As stated previously there are numerous existing display calculi. We use Wans- 
ing’s [Wan94] formulation since it is tailored to modal logics. On the structural 
side, we have the structural connectives * (unary), o (binary), I (nullary), • 
(unary) and (unary). A structure X G struc(^MNTL) is inductively defined as 

X ::= 0 I *X I Xi 0X2 I i I *X I #^X 

for (f) G NTL((C, H). a logical interpretation of the structural connectives can be 
found in the proof of the forthcoming Theorem 3. A sequent is defined as an 
expression of the form X h Y with X the antecedent and Y the succedent. For any 
finite set S of structures, we write NOM(S') for the set of names from NOM that 
occur in S. We write to denote the formula (in TL(G, H, [7^])) below: 

A (p 2xk-\-l A [t^]“'P2x fc+l) V (7^)(P2xfc+l A [7^]“'P2xfc+l) 

ifeeNOM(S') 

The rules of AMNTL are those in Figures 1-5. 

The display postulates (reversible rules) in Figure 2 deal with the manipula- 
tion of structural connectives. In what follows, we write 

4 i^p) 

s 

to denote that the sequent s^ is obtained from the sequent s by an unspecified 
finite number (possibly zero) of applications of display postulates. 



(Id) php (IT) ihi 



X h ^ ^ h Y 

X h Y 



(cut) 



Fig. 1. Fundamental logical axioms and cut rule 
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XoY h Z 


X 0 Y h Z 


X h YoZ 


X h YoZ 




X h Z 0 +Y 


Y h H=X 0 Z 


X 0 >^Z h Y 


+Y oX h Z 


+X h Y 


X h h=Y 


+ >^X h Y 


X h + + Y 


X h *^Y X h »Y 


+Y h X 


Y h H=X 


X h Y 


X h Y 


•^XhY .XhY 



Fig. 2. Display postulates 



In any structure Z, the structure X occurs negatively [resp. positively] S X 
occurs in the scope of an odd number [resp. an even number] of occurrences of 
* [Bel82j. In a sequent V h W, an occurrence of X is an antecedent part [resp. 
succedent part] S it occurs positively in V [resp. negatively in W] or it occurs 
negatively in W [resp. positively in V] [Bel82]. Two sequents X h Y and YJ h are 
said to be structurally equivalent ^ there is a derivation of the first sequent 
from the second (and vice-versa) using only the display postulates. 

Theorem 2. [Bel82] For every sequent V h W and every antecedent [resp. succe- 
dent] part X ofV\-\i, there is a structurally equivalent sequent X h Y [resp. Y \~ X] 
that has X (alone) as its antecedent [resp. succedent]. X is said to he displayed in 
X h Y [resp. Y h X]. 

A structural rule contains only structural connectives and structure variables 
like X, Y, Z. Following [Kra96], a formula is said to be primitive ^ it is of the 
form (j) ^ 'ip where both (j) and pj are built only from PRP U {T} with the help 
of A., \/, F ^ P and and such that (j) contains each atomic proposition at 
most once. The rules in Figure 5 are translations of primitive axioms from the 
axiomatisation of MTL^ [Rij93] into structural rules following [Kra96]. Thus 
is implicitly associated with the pair ([ 7 ^], ( 7 ^)) of dual modal operators (since 
7 ^ is symmetric), and • is associated with the pair of residuated operators (G, P). 

An easy way to understand the way the rules (i h) and (h i) in Figure 3 
work is to observe that the formula i <=> [T^j-ii from the language NTL([t^]) is 
valid in any Kripke model. Thus, the rules (i h) and (h i) use the intensional 
nature of a name whereas the fundamental axiom i h i uses its atomic nature. 

Theorem 3. (soundness) If 1 \~ <[ is derivable in ^MNTL, then (f) is yWTL-valid. 

Proof. Consider maps a and s from struc(^MNTL) to TL(iF, G, [ 7 ^]) as below: 

a and s are homomorphic for A, V, H and G 
for every G PRP, a(p^) = s(p^) = p2xj 

for every G NOM, a{±k) = s{±k) = P2xfc+i A [^]^ip2xk+i 

a(T) = s{T) = T a(T) = s{±) =T 
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/FT 
Xo^h 



^ Ifi 

X h (/) V' I- Y 



X h H=(^ -^(h h X 






xh(/>=^V' 

X h </>o V> 

X I- </>v V' 

</>l- X 

H(f) h + • +X 



(hv) 
{H h) 



^ V' I- *X o Y 

(/> h X V' I- Y 
</>VV’ hXoY 

X F + • ^<f> 






1\-I ^ ' xh 

X h (/> Y h V” 



(V h) 



Xo Y h </>A V' 
(/> h X 



(h A) 



X 



{hH) 



G4>\-»x 
i F * X 
X F i 



(Gh) 



i) 



"'</> h X 

</>o V' h X 
</>A V' I- X 
X h •(/> 



(A h) 



X\-G(f> 

X h i 



(h G) 



i F + X 



(i 



Fig. 3. Operational rules 



X I- z 
7 oX h Z 






X h z 
X h 7 oZ 



(O) 



/hY 

>^7 h Y 



(Qi) 



Xh/ 

X h *7 



(QO 



X h z 
Y oX I- Z 



(weaki) 



Z h Xi o (X 2 0 X 3 ) 
Z h (Xi 0 X 2 ) 0 X 3 



Xi o (X 2 0 X 3 ) h Z 
(Xi 0 X 2 ) 0 X 3 h Z 
(aSSOCr) 



(associ) 



Y oX h Z 
X o Y h Z 



(comi) 



Z h Y oX 
Z h X o Y 



(corrir) 



X oX h Y 
X h Y 



(contri) 



Y h X oX 
Y h X 



(contfr) 



JhX 
•7 h X 



(necjj) 



Xh J 
X h »7 



(neco) 



JhX 
•^7 hX 



(nec*) 



Xh J 
X h »^7 



(neG) 



Fig. 4. Other basic structural rules 



XFY +#^+XFY 

=t= X F Y 



(alio) 



XFY +#^*XFY 
+ • *X F Y 



(unil) 



=t= =t=(Z o ^ 5 fcX) F Y 

X O 5 f= =t=Z F Y 

XFY +*^+XFY 
•XFY 



(sym) 

(uni2) 



Fig. 5. Other structural rules 
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a{I) 


def 


T 


s{I) 


def 


a{*t) 


def 


-.s(X) 


s{*t) 


= -a(X) 


a(X o Y) 


def 


a(X) A a(Y) 


s(X 0 Y) 


= s(X) V s(Y) 


a(*X) 


def 


P a(X) 


s(.X) 


= G s(X) 


a(*^X) 


def 


(^)a(X) 


s(.^X) 


= [^]s(x) 



By induction on the length of the given derivation of X h Y, we can show 
that if X h Y is derivable in ^MNTL, then V^{x,y} ^ ^ '^(Y)) is MTL^-valid. 

Furthermore, for any (j) G NTL(H,G), (j) is MNTL-valid iff a{(j)) is MTL^-valid iff 
s{(j)) is MTL^-valid iff ^ a(0) is MTL^-valid iff ^ s{<j)) is MTL^-valid. 
In particular, if i h 0 is derivable in ^MNTL, then ^ ^ (i-^- 

T ^ s{(j))) is MTL^-valid and hence <j) is MNTL-valid. 

Next, we give a completeness proof of ^MNTL using the system I-mntl- 

Lemma 4. Let X h Y and X^ h Y^ he sequents sueh that X^ h Y^ ean he obtained 
from X \- Y by replacing some occurrences of >k >kZ by •^Z and by replacing 
some occurrences of •^W by * *W. Then, any display calculus S containing the 

display postulates from Figure 2, {sym), {contr'r), {weakr) and {weaki) satisfies: 
X \- Y is derivable [resp. has a cut-free proof] in S X^ h Y^ is derivable [resp. 
has a cut- free proof] in S. 

Lemma 4 is unsurprising since (sym) corresponds to the axiom schema F (f) ^ 
F 4> characterising symmetry. However, Lemma 4 is purely syntactic. 

Theorem 5. (completeness) If \~mTL 1 \~ f is derivable in ^MNTL. 

The proof of Theorem 5 relies only on the completeness of 6Kt [Kra96] and on 
the derivability of the axiom schema ± A (j) ^ a{± ^ (j)). Moreover, it highlights 
how the rules (wnil), (wni2), (sym) and (alio) are needed to get completeness. 
In what follows, we write 

: ^ 

s 

to denote that the sequent s has a proof 77 in ^MNTL. 

Proof, (sketch) The proof is by induction on the length of the derivation of <j) in 
I-mntl- Actually, most of the cases have been already proved in [Wan94,Kra96], 
[Wan98]. It remains to show that 7 h i A 0 ^ a(i ^ (f>) is derivable in ^MNTL 
where i G NOM, <j) G NTL(77, G) and a is a (possibly empty) finite sequence of 
elements from {77, G}. To do so, we prove by induction on the length of a that 
io^ h a(i ^ (f) and •^(io0) h a(i ^ (f) are derivable in ^MNTL (see [DG98a]). 

Unfortunately, as shown shortly in Example 1, the rules (hi) and (i F) from 
^MNTL do not satisfy (C8), so we cannot prove cut-elimination using [Bel82], 
[Wan98]. However, ^MNTL minus the rule (h i), say ^“MNTL, obeys (C1)-(C8) 
since, in ^“MNTL, i can be a succedent principal formula only in the fundamental 
axiom i h i. Belnap’s cut-elimination proof applies and therefore X h Y has a 
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proof in ^“MNTL iff X h Y has a cut-free proof in ^“MNTL. A similar “trick” is used 
in [Gor95]. Surprisingly, the proof of Theorem 5 also shows that if I“mntl then 
i h ^ is derivable in ^“MNTL since the (h i)-rule is simply not used. Consequently, 

Theorem 6. (weak cut- elimination) If I“mntl < i >, then 1 \~ <j> has a cut-free proof 
in ^“MNTL. 

Whether ^MNTL enjoys cut-elimination is still open at this stage of the pa- 
per since all the provable sequent s X h Y are not necessarily of the form I \~ (j). 
Moreover, Theorem 6 does not guarantee that any reasonable extension of ^MNTL 
enjoys cut-elimination. In the next section we extend Wansing’s strong normal- 
isation theorem to ^MNTL in such a way that any extension of ^MNTL by addition 
of structural rules satisfying (C2)-(C7) also satisfies the strong normalisation 
theorem (condition (C8) is relevant only for logical rules). 

4 A Strong Normalisation Theorem 

A very important feature of the proof-theoretical framework DL is the existence 
of a very general cut-elimination theorem [Bel82]. Indeed, any display calculus 
satisfying the conditions (C2)-(C8) [Bel82] admits cut-elimination. In [Wan98], 
such a result is strengthened by proving that any classical modal display calculus 
defined from [Kra96] for a properly displayable classical modal logic [Kra96] 
admits a strong normalisation theorem: that is, the process of cut-elimination 
terminates for any sequence of the reduction steps to be defined shortly. Similar 
theorems exist for numerous formal systems such as for example those for typed 
A-terms (see e.g. [TS96]). 

Unfortunately ^MNTL does not satisfy (C8) recalled below (see e.g. [Wan98]): 

(C8) If there are inferences 2i and X 2 with respective conclusions X h ^ and 0 h Y 
with (p principal in both inferences, and if cut is applied to obtain X h Y, then 
either X h Y is identical to one of X h 0 and (p \~ Y; or there is a derivation 
of X h Y from the premisses of Ii and I 2 in which every cut-formula of any 
application of cut is a proper subformula of (p. 

Example 1. Consider the proof. 



: 

i h ^ X 
X h i 



i) 



: iT2 
Y h i 
i h * Y 



X h * Y 



(iH 

— (cut) 



Since i does not have proper sub formulae, ^MNTL does not satisfy (C8) which 
is absolutely crucial in the proofs of cut- elimination in [Bel82,Wan98]. However, 
^MNTL enjoys a (weak) cut-elimination theorem (see Theorem 6). 
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At first sight, C4 also seems to be violated since an inference of (i h) [resp. 
(h i)] changes the displayed antecedent [resp. succedent] part occurrence of 
i in the conclusion into a succedent [resp. antecedent] part occurrence in the 
premiss. However, all is well, for the occurrences of a name in some (i h)-rule 
[resp. (h i)-rule] inference are not parameters since they are not substructures 
of some structure obtained by instantiating some structure variable. 

We now show that any reasonable extension of ^MNTL admits a strong normal- 
isation theorem by adapting arguments from [Wan98|. By a reasonable extension, 
we mean a calculus S obtained from ^MNTL by addition of structural rules that 
satisfy the conditions (C2)-(C7) (see e.g. [Bel82,Kra96,Wan98]). 

As usual, our strong normalisation theorem is relative to a given reduction 
concept. Indeed, we shall define legitimate moves that define the authorised 
reductions. Basically, each reduction removes a cut at the cost of cuts of lesser 
rank, or permutes a cut with a rule application in one of its premisses or replaces 
a cut by a cut of the same rank but decreases the number of significant inferences. 
In the rest of the section, S is assumed to be reasonable. 

The reduction process consists of SE-principal moves and parametric moves. 
First, let us recall that in DL, every structure occurrence in an inference 2 
is called a constituent of 2. Constituents of an inference 2 are congruent ^ 
they occupy similar positions in occurrences of structures assigned to the same 
structure variable. 

Definition 7. In the proof IJi from Definition 8 below left, the congruence class 
of (f) is the smallest set Qcf, of occurrences of in IJi such that 

- the displayed occurrence of <j> in Y.\~ <j) is in Q^p; 

- for every inference 2 in Ui, each constituent of a premiss of 2 which is 
congruent (w.r.t. 1) to a constituent of the conclusion of 1 already in Q^, 
is in Q^. 

Qcp can be viewed as a finite tree of occurrences of fi. A path in the tree defined 
by Qcp is a maximal finite sequence fioca , • • • , f>occi ^ of elements of Qp, 
such that for k e — 1 }, fiocck congruent to (j>occk+i fo'^ some inference. 



Definition 8. In the proof U below left, <j> is said to be SE-principal (principal 
modulo structural equivalence f m X h ^ 4^ the subproof IIi is of the form 
III shown below right, is principal in the instance of rule {ru) and the two 
occurrences of <j) in YJ \~ <j) and Y\~ <j> in U[ belong to the same congruence class; 



'.III -772 



Xh 0 Y 

X h Y 



{cut) 



: n[ 



y! ^ (j) 

X h 0 



{ru) 

{dp) 



We use an analogous definition for (f>, SE-principal in (j)\- Y. 

Consider an application of (cut) as shown in proof II from Definition 8. If 
the cut-formula <j> is SE-principal in X h 0 and 0 H Y, then an SE-principal move 
is done otherwise a parametric move is done. 
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SE-principal moves There are three cases: 

Case 1: X \- Y is X \- (f) [resp. ^ h Y]. Then, 77 is transformed into 77i [resp. 772]. 
Case 2: (p is not a name. The treatment of the similar case in [Wan98] (see 
also [Bel82]) applies except that one has to take into account the display pos- 
tulate inferences. For instance, when (p = ^ip the proof fragment below left is 
transformed into the proof fragment below right: 



h *7/; 

h 



(dpi) 



X h Y 



I- Y' 
-■v> I- Y' 
-■V' H Y 



(dp2) 

{cut) 



X' h 1“ Y' 

I- *X' ^ ^ *Y' h 



*Y^ h *X^ 
X^ h Y' 

Xh Y' 



X h Y 



{dp) 

{dpi) 

{dp2) 



{dp) 

{cut) 



Observe that, in the transformed proof, the cut-formula 'ip has dg{^p) < dg{<p). 
Case 3: <p is the name i. Then 77 is as shown below left and is transformed into 
the proof 77^ shown below right: 



h * X^ h 



* X^ 



Y±l 

xh 



(i“ - 

r {dpi) 



Y^ h i 

i h * Y' 



h Y 



(iH) 

{dp2) 



Y' h * X' 



{cut) 



J.' h 



* r 



X h Y 



{cut) 



X I- * Y' 

X h Y 



7 (dp) 
{dpi) 
{dp2) 



It is obvious that {dp) moves do not alter a sequent in any significant way. So let 
us consider only significant (i.e. non {dp)) inferences. In Case 3, the degree of the 
cut-formula in 77^ equals the degree of the cut-formula <p but the number of sig- 
nificant inferences in 77^ is less than in 77. In the proof of the strong normalisation 
theorem (see [DG98a]), the measure on the size of proofs counts only the number 
of significant inferences (and this measure decreases when required). Indeed, we 
implicitly consider as identical the sequents that are structurally equivalent (i.e. 
interderivable by using only the display postulates from Figure 2). 



Parametric moves The parametric moves can be viewed simply as non SE- 
principal moves. Suppose <p is not SE-principal in the inference ending in X h 0 
from Definition 8 in proof 77 (the other case is analogous). Viewing the con- 
gruence class Qcf, of this occurrence of 0 as a tree, if the tree contains an 
application of cut, then no reduction is performed and we instead consider one 
of the applications of cut above X h 0 for reduction. Thus the shown application 
of cut from 77 is not subject to reduction at this stage. If the tree contains no 
application of cut, then for each path in consider <pu the uppermost member 
of Q 0 cn the path and let 7^ be the inference ending in the sequent s which 
contains <pu- 

Case (i): <pu is principal in Xu- So <pu is the entire succedent of s. We cut with 
772 and replace every occurrence of <p below <pu in the path by Y. 

Case (a): <pu is not principal in 2^. Then, w.r.t. 2, (pu is congruent only to itself 
so we just replace every occurrence of <p below (pu in the path by Y. II 2 is deleted. 
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Primitive Reduction. The result of simultaneously carrying out these opera- 
tions for every path of occurrences of (j) in 7Ti and removing the initial occurrence 
of X h Y is by definition a primitive reduction. 

The treatment of the last two cases is exactly what is done in [Wan98] (see 
also [Bel82]). Fortunately, by close examination of Case (i) and Case (ii), it also 
works when 0 is a name. Indeed, as mentioned previously, the two occurrences 
of i in both rules (i h) and (h i) are not congruent by definition, and therefore, 
there is no need to treat the case 0 = i separately. 

The reduction process does not systematically remove the uppermost cut 
(this is just a particular case) and not all the cuts in a proof are necessarily 
subject to primitive reduction. For any non cut-free proof 77, we write W < II 
to denote that 77^ is obtained from 77 by application of a primitive reduction. 

Theorem 9. (strong normalization) The relation < on proofs of S is well- 
founded (no infinite decreasing chains) and the terminal proofs (those that can- 
not he reduced) are cut- free. 

These proofs are impervious to additional structural rules obeying (C1)-(C7). 
The full proof of Theorem 9 can be found in [DG98a]. 

5 Properly Displayable Nominal Tense Logics 

The aim of this section is to identify classes of properly displayable nominal 
tense logics by adapting developments from [Bla90,Kra96]. In what follows, we 
write ^ + 77 to denote the display calculus S augmented with the set IZ of rules. 

Definition 10. Logic C = (NTL(77, G),C) is properly displayable & there is a 
display calculus 6 = ^MNTL + IZ such that IZ is a set of structural rules satisfying 
(C2)-(C7) and for any <j) G NTL(77, G), <j> is L-valid iff I \~ (p is derivable in d. 

Theorem 11. Every properly displayable logic has a cut- free display calculus. 

Indeed, by Theorem 9, ^MNTL + IZ admits a (strongly normalising) cut- 
elimination theorem since all the rules in IZ satisfy the conditions (C2)-(C7). 

Sahlqvist tense formulae are useful to study the nominal tense logics char- 
acterized by classes of frames modally definable by such formulae. A formula is 
positive [resp. negative] ^ every propositional variable occurs under an even 
[resp. odd] number of negation symbols (when <j>i ^ <j >2 is treated as V 02 )- A 
simple Sahlqvist tense formula in TL(77, G) is an implication f ^ f such that f 
is positive and f is built up from negative formulae, formulae without occurrences 
of atomic propositions and formulae of the form ap with a a universal modality 
and p G PRP using only A,V and the existential modalities; see e.g. [Rij93]. A 
Sahlqvist tense formula is a conjunction of formulae of the form a{<j> ^ where 
(j is a universal modality and <j> ^ 'ip Is u simple Sahlqvist tense formula. 

Theorem 12. Let (p be a Sahlqvist tense formula and let h = Hmntl + <P- Then, 
any p) G NTL(77, G) is ML^p-valid iff \~ pj. 
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Theorem 12 does not follow from Sahlqvist’s Theorem [Sah75] since NTL^^ is 
known to be non canonical for any Sahlqvist tense formula (j) where {J~ ^ Fr : 
F 1 = (j)} contains a frame with a reflexive world and a frame with an irreflexive 
world [Bla90, Proof of Theorem 4.3.1]. For instance take 0 to be p ^ p. That 
is, there is no (single canonical) NTL^-model Ai = {W, R,rn) such that for every 
\--consistent set X there is w e W such that for all t/; G X, Ai^w 1= V’- 

Theorem 13. Any logic £ = (NTL(iL, (C),C) where C = {A e Fr \ A \= (j)} for 
some conjunction <j) of primitive formulae in TL{G^H) is properly display able. 

The primitive formulae in Theorem 13 do not contain the difference operator. 
Another class of properly displayable nominal tense logics can be identified. 

Theorem 14. Let = (TL(iL, (C, [t^]),C) and let j he a conjunction of prim- 
itive formulae over the language TL(iL, (C, [ 7 ^]) such that + 7 axiomatizes 
and C is closed under disjoint unions and isomorphic copies. Then the logic 
L = (NTL(iL, is properly displayable. 

The irreflexivity rule is not present in + 7 . However, unlike Theorem 13, 
the primitive axioms in Theorem 14 may contain the difference operator. 



Proof, (sketch) Since struc(^MNTL) contains we first transform 7 into a col- 
lection 77.^ of structural rules over struc(4MNTL) using Kracht’s method [Kra96|. 
This gives a display calculus = 4MTL^ + IZ^ where ^MTL^ is the display 
calculus for MTL^. Actually, ^MTL^ can be defined from ^MNTL by: consider- 
ing the same set of structural connectives but building up the structures from 
TL(iL, G, [7^]) instead of TL(iL, G); deleting the fundamental axioms of the form 
i h i and the rules (i b) and (b i); and adding the rules below: 



^b X 
1 - 



([^] H) 



X I- •^(f> 
X I- [^](/> 



(H [^D 



Since obeys (C1)-(C8), it enjoys cut-elimination. To show that 6C = ^MNTL+ 
IZry properly displays 73, let struc(473^) be the set of structures involved in 
and define a partial function g : struc(473^) ^ struc(4MNTL) as follows: 



- giA) is undefined if X contains some occurrences of [ 7 ^]^^ where 'ij is not of 
the form -<p 2 xfc+i for k e to; otherwise 

- ^ is homomorphic for the Boolean connectives, for H and for G; 

- for any k e lj, g{p2xk+i) = g{[i^]^p2xk+i) = ifc and g(jp2xk) = Pk] 

- g{±) ^(T) T; 

- ^ is homomorphic for the structural connectives and g{I) = /. 



Let 0 be a formula of NTL(C7, H). 



- (soundness) If / b ^ has a cut-free proof in 473, then is 73^-valid (where 
s is from the proof of Theorem 3 and we use the closure properties of C). 
We also have that (p is 73-valid iff s{(j)) is 73^-valid. Hence, (p is 73-valid. Note 
that in general (p ^ s{(p)\ 
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- (completeness) We must show that if <j) is i3-valid, then 1 \~ <j> has a cut-free 
proof in 5C. The proof contains five parts: (1) if (f> is T-valid, then a{(f>) is 
T^-valid (here we use the closure properties of C); (2) if a(^) is T^-valid, 
then 1 h a{(p) has a cut-free proof in (3) if i h a{(p) has a cut-free proof 
in then I h g{a{(j))) has a cut-free proof in (4) I h g{a{(j))) has a 
cut-free proof in SL iS I \~ (p has a cut-free proof in SL; (5) hence, if <j> is 
T-valid, then I \~ <j> has a cut- free proof in 5C (see the details in [DG98a]). 

The proof of Theorem 14 is very informative since for instance, it also shows 
that any formula (p G NTL(iJ, G) is MNTL-valid iff i h 0 has a cut-free proof in 
4MNTL. Unlike the proof of Theorem 5, the (h i)-rule is used. The rules (i h) 
and (h i) are obviously equivalent to the reversible rule below: 

X h i 

i h >i< X 

Hence, as in the case with the display postulates, or indeed any reversible rule, 
backward proof search may enter loops. However, all is not lost, for the proof of 
Theorem 14 also yields 

Corollary 15. In a backward proof attempt, if we apply (i h) [resp. (h i.)], 
giving rise to some name i in the premiss, then we do not need to apply (h i) 
[resp. (i h)y to this name in the rest of the backward proof search. 

6 Concluding Remarks 

To define cut-free display calculi for nominal tense logics, we have extended 
Wansing’s strong normalization theorem [Wan98] to any reasonable extension of 
4MNTL. Although ^MNTL does not satisfy (C8), the proof in Section 4 provides a 
new condition (C^8) (see the appendix). 

Are the classes of properly displayable nominal tense logics characterised by 
Theorem 13 and Theorem 14 really different? One solution is to characterize the 
class of Sahlqvist tense formulae <p such that -h axiomatizes (TL(F,G,[^ 
]),{JT : T 1= (p}). This is roughly equivalent to knowing when the irrefiexivity 
rule is superfiuous (see e.g. [Ven93]). How to define structural rules in DL from 
axioms containing names? 

Kracht and Wo Iter [KW97] show how to eliminate the difference operator by 
means of a pair of tense operators. Unfortunately, one operator must satisfy the 
Godel-Lob axiom G, which is not Sahlqvist. Using our recent work on cut-free 
display calculi for such “second-order” modal logics [DG99], we may be able to 
design yet another display calculus for nominal tense logics. 
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Appendix: Belnap’s Conditions. 



For every sequent rule Belnap [Bel82, page 388] first defines the following 
notions: in an application Inf of a sequent rule (p), “constituents occurring as 
part of occurrences of structures assigned to structure- variables are defined to 
be parameters of Inf ; all other constituents are defined as nonparametric, 
including those assigned to formula- variables. Constituents occupying similar 
positions in occurrences of structures assigned to the same structure- variable 
are defined as congruent in Inf ” . The eight (actually seven) conditions shown 
below are from [Kra96]: 

(Cl) Each formula which is a constituent of some premiss of a rule p is a 
subformula of some formula in the conclusion of p. 

(C2) Congruent parameters are occurrences of the same structure. 

(C3) Each parameter is congruent to at most one constituent in the conclusion. 
Equivalently, no two constituents of the conclusion are congruent to each 
other. 

(C4) Congruent parameters are either all antecedent parts or all succedent parts 
of their respective sequent. 

(C5) If a formula is non-parametric in the conclusion of a rule p, it is either 
the entire antecedent, or the entire succedent. Such a formula is called a 

principal formula. 

(C6/7) Each rule is closed under simultaneous substitution of arbitrary struc- 
tures for congruent parameters. 

(C8) If there are inference rules pi and p2 with respective conclusions X h ^ 
and (j) \- I with (j) principal in both inferences (in the sense of C5), and if 
(cut) is applied to yield X h Y then, either X h Y is identical to X h 0 or 
to 0 h Y; or it is possible to pass from the premisses of p\ and p2 to X h Y 
by means of inferences falling under (cut) where the cut-formula is always 
a proper subformula of <j>. If <j) satisfies the “if” part of this condition it is 
known as a “matching principal constituent” . 

Our new condition (C8^) 

(C8^) There exist a non-empty set S with < a well-founded ordering on S and a 
map dg ^ S such that if there are inferences X\ and X 2 with respective 
conclusions X h ^ and ^ h Y with <j) SE- principal in both inferences, and if 
cut is applied to obtain X h Y, then 

• either X h Y is identical to one of X h 0 and (j>\~ Y; 

• or there is a derivation of X h Y from the premisses of X± and X2 in which 
every cut-formula of any application of cut satisfies dg{'ip) < dg{(f)); 

• or there is a derivation of X h Y from the premisses of X± and X2 in which 
every cut-formula of any application of cut satisfies dg{^ip) = dg{(p) 
and in that derivation every inference, except possibly one, falls under 
an invertible structural rule with a single premiss. 
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Abstract, e-terms, introduced by David Hilbert [8], have the form 
where x is a variable and ^ is a formula. Their syntactical structure is 
thus similar to that of a quantified formulae, but they are terms, denoting 
‘an element for which (j) holds, if there is any’. 

The topic of this paper is an investigation into the possibilities and lim- 
its of using e-terms for automated theorem proving. We discuss the re- 
lationship between e-terms and Skolem terms (which both can be used 
alternatively for the purpose of 3-quantifier elimination), in particular 
with respect to efficiency and intuition. We also discuss the consequences 
of allowing e-terms in theorems (and cuts). This leads to a distinction 
between (essentially two) semantics and corresponding calculi, one en- 
abling efficient automated proof search, and the other one requiring hu- 
man guidance but enabling a very intuitive (i.e. semantic) treatment of 
e-terms. We give a theoretical foundation of the usage of both variants in 
a single framework. Finally, we argue that these two approaches to e are 
just the extremes of a range of e-treatments, corresponding to a range of 
different possible Skolemization variants. 



1 Introduction 

Calculi for full first-order predicate logic have to cope with the elimination of 
existential quantifiers. Quantified variables are usually replaced by terms, which 
have to obey certain restrictions. Many approaches in proof theory and almost all 
approaches in automated deduction use the concept of Skolem functions (resp. 
constants) for this purpose. An alternative concept for terms replacing existen- 
tially quantified variables is that of e-terms. An e-term has the form ex.0, where 
X is a variable and 0 is a formula. The intended meaning is ‘an element for which 
(j) holds, if there is any, and an arbitrary element otherwise’. If (f> holds for more 
than one element, or for none, e acts as a choice operator. 

A Skolem term introduced during elimination of the quantifier in 3x.^(x) 
also denotes an element e for which 0(e) holds. But in contrast to the Skolem 
term, the e-term refers explicitly (on an object language level) to the property 
0 it satisfies. 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 171-185, 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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1.1 Short History of OTerms 

The e-symbol was introduced by Hilbert in the context of the formalist effort to 
prove the consistency of arithmetic and analysis by finitary means. In particular, 
e-terms are used to give a finitary justification of the use of (non-finitary) quan- 
tifier reasoning in predicate logic. The arguments in this context are typically 
based on proof transformations. Model-theoretic reasoning would have been in- 
appropriate, as reasoning about models is usually non-finitary. The principal 
work in this area is by Hilbert and Bernays [8]. Leisenring [9] gives a more 
condensed and up-to-date survey of the field. 

In the context of automated deduction, reasoning with models is not regarded 
as problematic. Indeed, soundness or completeness statements are almost always 
relative to a given model semantics. Possible model semantics for e-terms are 
investigated by Meyer Viol [10] and also to a certain degree by Leisenring. 

To our knowledge, in the context of automated deduction, calculi do not 
use e-terms as a syntactical construct. On the other hand, the development of 
improved ^-rule versions (see below) can be seen as a progressing approximation 
of e-like behaviour. 



1.2 Short History of &Rules 



Elimination of existential quantifiers takes place either in a preprocessing step 
or, in particular in analytic non-normal form calculi (i.e. tableaux and sequent 
calculi), in a special expansion rule, called ^-rule. The evolution of different ^- 
rules that we sketch now took place in the framework of tableaux. We use the 
tableau notation in the rest of this paper. ^ 

In a Smullyan style ground tableau calculus [11], there is a ^-rule of the form 

3x.(j){x) 



where c is a constant symbol, which must be new relative to the tableau or 
branch to which the rule is applied. The intuition behind this requirement is to 
make sure that all we know about c is (p{c). (Sometimes, we do know more about 
c, however, which is where some liberalized ^-rules come in.) 

In a free variable tableau calculus, where free variables stand for instances 
not yet known, the ^-rule 

3x.(j){x) 

. . . ,x„)) 

introduces a term t = /(^i, . . . , ^n), where the choice of both the function 
symbol and the variables has to meet certain requirements, which vary from one 
^-rule to the other. Early versions of this rule, e.g. [5], required that the function 
symbol / is new and that all free variables present on the current branch are 

^ Note, however, that it is trivial to translate the discussion to a sequent calculus 
notation. 
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parameters of t. These parameters guarantee that t stays new w.r.t. the branch 
even after applying arbitrary substitutions. 

Later versions of the ^-rule for free variable tableaux modified the restric- 
tions for t, always shortening the minimal proof length. At first, the ^+-rule, 
introduced by Hahnle and Schmitt [7], reduced the parameters of t to the free 
variables of the expanded formula only. Now, t is actually a Skolem term in the 
sense, that the soundness argument for this rule uses the semantic properties 
of Skolemization. Note that, with this rule, it is possible to unify t with a free 
variable occurring above in the branch. Consequently, after applying such a uni- 
fier to the tableau, the term replacing the existentially bound variable occurs 
in the proof prior to the rule that introduced it. It is not trivial to formulate a 
sound ^-rule for a ground tableau, which corresponds one to one to see [2, 
Sect. 3.6]. 

A further modification of restrictions for t is formulated in the ^+^-rule by 
Beckert et. al.[3|. Now, the function symbol of the Skolem term need not be new 
in general. Instead, the same functor can be used when the ^+^-rule is applied 
to formulae that are identical up to renaming of (free and bound) variables. In 
theory, classes of such formulae are the functors. This way of Skolemization is 
closely related to the idea of e-terms, because the chosen element is identified by 
a class of formulae it satisfies. However, Skolemization of two formulae, where 
one is an instance of the other, leads to non-unifiable results. Consequently, 
rule application and substitution of free variables are not exchangeable, which 
is unsatisfying from an intuitive point of view. 

There are already ^-rules going beyond e.g. S* [1] and [4], which we 
shall come back to in the course of this paper. 

1.3 This Paper 

This paper is concerned with the embedding of e-terms in a calculus well suited 
for automated theorem proving. Moreover, our issue is the border between e- 
handling that fits purely automated proof search, and e-handling requiring hu- 
man guidance. The context of our work is research on concepts for integrating 
automated and interactive theorem proving in a homogeneous way. By ‘homoge- 
neous’ we mean an integration of the two paradigms in one prover, based on one 
calculus. In this setting, a calculus must be intuitive, as well as efficient, which 
shall be an issue in Sect. 3 and 4. 

In this paper, we present a spectrum of treatments of e-terms, discussing 
their suitability for automated proof search, e essentially is a choice operator. 
Therefore, fixing its semantics means fixing the features of the choice. Given 
3x.(j){x)^ the choice of an element e, for which (j){e) holds, may for example 
depend only on the semantics (i.e. the extension) of <j). Another possibility is to 
let the choice depend only on the syntax of a formula (compare above). But 
then, the choice function should have some basic properties, which we discuss 
below. 

We start, in Sect. 2, with the introduction of a 4^-rule and, because of the 
similarity to the ^^^-rule, compare both with respect to minimal proof length. 
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Then, we turn to the semantics of e-terms in Sect. 3, defining a hierarchy of 
e-structures. The distinction between different structures is justified in Sect. 4, 
where two calculi that are complete for different semantics are presented and 
discussed with respect to automated theorem proving. 



2 Using Terms Instead of Skolem Functions 

2.1 Introducing □- Terms 

We begin by defining a number of basic syntactic notions. 

Definition 1 (Syntax, free/bound variables, substitutions). Let Y be a 

fixed (infinite) set of variables. The sets Tm, resp. Fm, of well formed first 
order terms, resp. formulae, are defined as usual, with the additional require- 
ment, that for all X eV and <j> G Fm, there is a term ex.f e Tm.^ 

For a term or formula a, define bv(o;) C V, resp. fv(o;) C V, the sets of 
bound, resp. free variables of a. A term, resp. formula is ealled closed if 
it has no free variables. The sets of all elosed terms, resp. closed formulae are 
denoted by Tm^, resp. Fm^. 

A substitution is a mapping a : V ^ Tm, where dom(a) := {x G V | 
(j{x) 7 ^ x} (ealled the domain of a) is finite. The notation a = [xi/ti, . . . ,Xn/tn] 
is used for the substitution with (i{xi) = U, dom(a) = {x\, . . . ,Xn}- 

The most important point here is that terms may contain bound variables, 
which is not the case in ordinary first order logic: ex.f is a term in which the 
variable x is bound. This means that a little more care needs to be taken, when 
arguing about substitutions. 

Instead of giving a formal semantics for e-terms right away, we first show 
what we want to use them for, and defer the rigorous discussion to Sect. 3. The 
given intuition behind e-terms captures the essence of 3-quantifier elimination: 
given 3x.(j), ex.f denotes a value of which we know nothing, except that it makes 
(f) true. Accordingly, we use the ^-rule 

3x.6(x) 

6 ^ . 

(f){ex.(f){x)) 

To give the reader a general idea of how this works, here is a proof of the 
inconsistency of the set of formulae 

{Vw.p(w, a, 6), (Vy.3x.-ip(x, y, h)) V (\/ z 3x .^p{x , a, z))} 



^ This means, that unlike the usual practice, terms and formulae are defined by mutual 



recursion. 
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in an unsigned tableau-calculus with free variables: 

1 : Vw.p(w, a, b) 

2 : (Vy.3x.-ip(x, y, b)) V (Vz.3x.-ip(x, a, z)) 
3 , 7 ( 1 ) : p{U,a,b) 



T/?(2) : Vy.3x.-.p(x,y,fe) 
6 , 7 ( 4 ): 3x.-ip(x, y, 6 ) 
8,y(6): -<p(ex.-ip(x, y, 6), y, 6) 



5,/?(2): Vz.3x.-ip(x, a, z) 
7 , 7 ( 5 ): 3x.-ip(x, a, y) 

9, ^^(7): -<p(ex.-ip(x, a, y), a, y) 



The tableau is closed after applying the following substitution: 



[U /ex.-ip(x, a, b)^Y/a^ y/6] 

With the or rules, different skolem functions would be chosen for 

the skolemization of formulae 6 and 7, so the tableau could not be closed without 
a second instance of the 7 - formula 1 . 

It should be mentioned at this point, that e-terms (a) may be nested, (b) 
may contain free variables, and (c) may lead to rather large formulae, as they 
repeat most of the ^formula. The problem of large formulae can be addressed 
in an implementation using structure sharing. 

The main benefit of using e-terms to handle ^-formulae is that identical 
formulae lead to introduction of the same term. The same idea is realized in the 
^+^-rule. Therefore, in the next section we compare that rule to S^. 



2.2 Exponentially Shorter Proofs with ^terms than with 

We shall now show that the ^^-rule can cut down minimal proof-length exponen- 
tially with respect to a certain modification of the ^+^-rule: while the original 
^+^-rule allows to assign the same Skolem-function symbol to any two formu- 
lae which are equal up to renaming of bound and free variables, we require the 
formulae to be equal up to renaming of free variables only. We refer to this 
modification as the -rule. 

Theorem 1 (Proof length with y vs. ). There is a family G IN 0 / 
valid first order formulae, sueh that the minimal number ¥, resp. 6+ of branehes 
in a elosed tableau for (pn the 6^ -rule, resp. -rule satisfy ¥{n) G 0{n), 
and 6+ (n)G6>(2^^). 

Proof. The proof is based on the same ideas as the one in [3], where it is shown, 
that the d+^-rule permits exponentially shorter proofs than the d+-rule. Define 

^0 •= i'^ue 

(j)n+i ■■= ^x.pj>n A {pn(x,a,b) (3y .\/x.pn(x,y , b) A3z.\/x.pn(x,a,z))p 

for n G IN. 

The proof proceeds analogous to that of [3]. As in the introductory example of 
section 2.1, the inclusion of the skolemized formula in the e-terms provides the 
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necessary information to permit the simultaneous closure of two branches in the 
case, where another 7 -rule application is needed with . □ 

Clearly, any -proof can be simulated using so the ^^-rule is strictly 
stronger than . 

Remark 1. It is not hard to modify the ^^-rule to obtain exponentially shorter 
minimal proofs than with the origninal ^+^-rule of [3]: one only needs to define 
closure by means of unification modulo renaming of bound variables. Alterna- 
tively, normalize the names of bound variables when applying the ^^-rule. We 
will omit this technical detail here, however. 

Remark 2. Baaz and Fermiiller [1] show a stronger speed-up result, namely that 
the rule gives non- elementary speedup w.r.t. to the rule. We are currently 
investigating whether their proof technique can be applied to show that yields 
non-element ary speed-up w.r.t. 

Remark 3. It is also possible to strengthen the ^^-calculus in a way that makes 
it strictly stronger than the ^*-rule of Baaz and Fermiiller [1], which in turn gives 
non-element ary speed-up w.r.t. the ^+^-rule. For lack of space, we are not going 
to develop this any further in this paper. 

3 Semantics of OTerms 

In the last section, we have introduced e-terms as syntactical entities, but we 
have not given them a formal model-semantics, which is the topic of this section. 

3.1 Valuation in Pre-Structures 

We want our logic with e-terms to be a conservative extension of classical predi- 
cate logic, i.e. the validity of terms and formulae that do not contain e-terms 
should remain the same. Accordingly, the valuation functions correspond closely 
to the classical case. On the other hand, we will discuss several possible seman- 
tics for e-terms, so we give some minimal semantic definitions first and refine 
them later. 

Definition 2 (Variable assignments, pre-structures). A variable assign- 
ment 0 / V to a set V is a function f3 : Y ^ V. We denote by fd{x ^ d} the 
modified assignment with 

-<()(») 

A pre-structure is a triple S = (P,I, Al) with the following properties: 

— {V,X) is a classical first order structure with carrier V and interpretation 

I. 
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— The e- valuation A is a function that maps any e-term ex.<j> and any variable 
assignment p on V to a value A{ex.(f),P) ^ 

This definition contains no restriction whatsoever on the valuation of e-terms. We 
will add restrictions that refiect the intended behaviour of these terms later. Here, 
we proceed by defining the valuation of terms and formulae on pre-structures. 

Definition 3 (Term and formula valuation). The valuation val(<S,/?,t) G 
V of a term t G Tm in a pre-structure S = (P,2, A) under a variable assignment 
P is defined as for classical first order logic, except for the valuation of e -terms, 
where we set 

Y8il{S , p,ex.(j)) •= A{ex.(j): P) ' 

The validity relation for formulae, S,p \= p is defined exactly as for classical 
first order logic. 

Note, that - in contrast to the syntax - no mutual recursion between terms and 
formulae is needed in these semantic definitions: the whole valuation of e-terms is 
delegated to the function A, so the semantic definitions do not take the formula 
in an e-term into account so far. 



3.2 A Hierarchy of Structures 

In this section, we give several concrete restrictions leading to more useful se- 
mantics for e-terms. In particular, we define the substitutive and extensional 
semantics, for which we give complete calculi in Sect. 4. 

Two minimal requirements are needed to ensure a sensible semantics for e- 
terms: first, the valuation of an e-term should depend only on the valuation of 
variables occurring free in that term. Second, an e-term ex.p should actually 
denote a value that satisfies p, if any such value exists. These requirements are 
captured in the following definition: 

Definition 4 (Intensional structure). A pre- structure S = {V,T,A) is called 
intensional structure or I-structure, if 

— any e-term ex.p and two assignments pi, p 2 with Pi\iy(ex.(p) = p2\^v{ex.(p) 
satisfy A{ex.p, pi) = A{ex.p, P 2 ). 

— for any p, x e Y , p e Fm, if S,p |= ^x.p, then S,p{x ^ A{ex.p,p)} |= p. 

A formula which is valid in all I-structures under all variable assignments is 
called I- valid. If it is valid in at least one I-structure under at least one variable 
assignment, it is called I-satisfiable. 

This intensional semantics lacks an important property: it is not substitutive. 
E.g., from \/x.q{ey.p{x,y)) it is not possible to infer q{ey.p(a,y)). Similarly, from 
the equality a = 6, we can not infer ex.p{x, a) = ex.p{x, b). However, these infer- 
ences become possible, if we further constrain the set of permissible structures. 
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Definition 5 (Substitutive structure). An I- structure S = {V,1, A) is called 
substitutive or S-structure^ if for all x,y e Y , (p e Fm^ f3 : Y ^ V and 

t G Tm with fv(t) fl hv{ex.(p) = 0; 

A{[y/t]{ex.(l)),(3) = A(ex.(^,/?{y ^ val(<5,/?,t)}) . 

S- validity and S-satisfiability are defined analogous to Definition 4-- 

Substitutivity, namely the fact that 

val(<S, [y lt]a) = val(<S, j3{y ^ val(<S, /?, t)}, a) 

for any term or formula a with fv(o;) Pi bv(ex.0) = 0, follows directly from this 
definition for S-structures. Substitutivity is a central property for the construc- 
tion of a calculus, as it captures the semantic effects of the syntactic operation 
of substituting parts of a term or formula. 

Classical first order logic has the property that replacing an arbitrary sub- 
formula of 8i formula 0 by a logically equivalent formula maintains the 
validity of (p. This is not necessarily the case with S- validity. In fact, from 
Vx.p(x) ^ q(x) it does not follow that ex.p(x) = ex.q{x). As long as we use 
e-terms for 3-quantifier elimination only, this would not be a problem. But, as 
we argue in the next section, it is reasonalbe to permit the use of e-terms in the 
formulation of problems, which might well be done by a human. In that case, it 
is vital to make the behaviour of e-terms as intuitive as possible. The main intu- 
ition behind logical equivalence is that replacing part of a formula by something 
equivalent should not change the meaning of the whole. We therefore define a 
semantics that has this property, by making the interpretation of an e-term ex.(p 
depend on the semantics of the formula <p. 

Definition 6 (Extensional structure). For an e-term ex.<p, on I-structure 
S = (P,2, Al) and a variable assignment fd :Y ^ V, define the extension 

Ext(<S, /?, ex.(p) := {d E D \ S ^ f3{x ^ d} \= (p} 

An I-structure is called extensional or E-structure, if for all x,y eY , (p/tp E 
Fm, f3:Y 

if Ext(<S, /?, ex.^) = Ext(<S, /?, ey.T/j), then A{ex .(p ^ P) = A{ey /ip ^ j3) , 

E- validity and E-satisfiability are defined analogous to Definition 4- 

The three variations of e-term semantics constitute a hierarchy, as stated in 
the following theorem. 

Theorem 2 (Hierarchy Theorem). Let <p E Fm. If (p is E- satis fiahle, then 
it is S- satis fiable. If <p is S- satis fiable, then it is I-satisfiable. 

Proof. The only non-trivial part of the proof is to show that extensional struc- 
tures are always substitutive, which is done by showing substitutivity for all 
formulae and terms, using structural induction. For the complete proof, see [6] 
or [9] . □ 
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It was mentioned at the beginning of this section, that the logic with e-terms 
should be a conservative extension of classical first order logic, whatever the exact 
semantics chosen for the e-terms. This is ensured by the following theorem.^ 

Theorem 3 (Embedding Theorem). Let (f> G Fm he a formula without e- 
terms. The following statements are equivalent: 

1. (f) is satisfiable in classical first order logic."^ 

2. (p is I-satisfiable. 

3. (p is S- satisfiable. 

4-. <p is E- satisfiable. 

Proof. 1.^4.: Let <Sq = be a classical first order structure, and [3 :Y ^ V 

a variable assignment such that <Sq,/? |= (p. We show the existence of an E- 
structure S = (P,2,Al) with S,f3 \= (p. As (p does not contain e-terms, the 
validity of (p does not depend on A. Thus, it suffices to construct any E-structure 
with carrier V and interpretation T. 

Using the axiom of choice, we may assume the existence of a function a : 
V{V) V satisfying a{M) e M for all non-empty sets M CV. The e-valuation 
A is defined by successive approximation. We define the family of sets Fi C Fm 
for i G IN by: 

Fq := G Fm | <p contains no e-terms} 

fy+i := Fi U{(pe Fm | (p contains only e-terms ex.fy with fy G Fi} 



Obviously, we have Fm = IJ^o min{i \ (p e Fi} he the first of 

these sets containing a given formula (p. We now define a family of e-valuations 
Ali for i G IN as follows: 



Ao{ex.(p,f3) := d± 



for (p G Fi, 
otherwise. 



where Ext^(ex.0) := {d E V\ Ai), f3{x ^ d} \= (p}, and d± E T> is an 

arbitrary carrier element. Defining 



A{ex.(f>,l3) := A( 0 )+i(ex.(^,/?) 

makes S := (V,1,A) an E-structure. The proof that this is the case is not very 
hard, though somewhat technical, and can be found in [6]. 

4.^3. and 3.^2. follow immediately from Theorem 2. 

2.^1.: The validity of <p is independent of the e- valuation, as <p contains no 
e-terms. Therefore, {V,T,A),f3 |= <p implies {V,T),f3 \= (p in classical first order 
logic. □ 

^ This is the semantic equivalent of Hilbert’s Second e-Theorem. It is of course much 
easier to show, because we argue with model-semantics instead of proof theory. 

^ The definition of satisfiability differs slightly between authors. We call a formula 
satisfiable if there are a structure and a variable assignment which satisfy the formula. 
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It should be remarked, that there are many more variants of e-semantics than 
the three proposed in this paper. The intensional semantics is minimal, in the 
sense, that it captures only the most basic properties of e-terms. The extensional 
semantics, on the other hand, assures an intuitive structural property. Finally, as 
the next section shows, the substitutive semantics has pleasant properties when 
it comes to constructing a calculus. But there are of course many other possible 
restrictions on the evaluation of e-terms, that give rise to as many different 
semantics. E.g., it is possible to require the value of e-terms to remain the same 
under renaming of bound variables, a property that is guaranteed in E-structures, 
but not in S-structures. That would permit a full simulation of the ^+^-rule. It is 
also possible to construct an even stronger semantics than the extensional one: 
for instance, one might require the existence of a well-ordering on the carrier 
set P, such that the value of an e-term is always the minimal element of its 
extension. In view of the results of the next section, however, stronger semantics 
are probably not of much interest to automated theorem proving. 



4 Proving theorems with OTerms 

If we restricted the use of e-terms to 3-quantifier elimination, the completeness 
of the resulting calculus for first order problems - without e-terms - would be 
an easy consequence of the completeness of less liberal ^-rules, like or 
The main thing to show would be the soundness of the new rule. 

However, the work presented in this paper was done with the aim of inte- 
grating automated and interactive proof systems using a common calculus. In 
that setting, it seemed unnatural to forbid the use of e-terms in the formulation 
of the proof obligations themselves. The user might want to formulate lemmata 
or cut-formulae that use e-terms. So the question was, whether we could find a 
calculus that was complete for the whole logic with e-terms, or more precisely, 
for which semantics such a calculus could be found. 

We now present variants of the free- variable tableau calculus for the substitu- 
tive and extensional semantics; the intensional semantics, lacking substitutivity, 
is to weak to allow a reasonable free- variable calculus. The calculus for the exten- 
sional semantics will use a logic with equality, but we shall not discuss equality 
handling here, as the problems arising are largely orthogonal. Eor a more detailed 
discussion, including equality handling with constraints, see [ 6 ]. 



4.1 A Complete Calculus for the Substitutive Semantics 



We consider a standard unsigned free- variable tableau calculus with the usual o;, 
f3 and 7 expansion rules, as well as a closure rule based on syntactic unification, 
that applies a substitution to all formulae in the tableau. We use the following 
6^ expansion rules: 



3x.(j) 



-Nx.(j) 



[x I ex .(j)](j) 






and 
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Additionally we introduce an e expansion rule, 



I [x ! ex . 

In the left branch, one has to show, that there exists at least one element sat- 
isfying (j). In the right branch, we can use the fact that ex.<j> denotes one such 
element. 

By taking x ^ fv(^), this rule can easily be seen to be equivalent to the 
cut-Tn\e\ So, to permit the application of the e-rule in an automated theorem 
prover without exploding the search space, we have to make sure that it is only 
applied in a very limited way. We show that the calculus remains complete, if 
we allow the application of the e-rule only if 

1. the branch contains an atomic formula (~')p(ti, . . . ,t^), such that 

(a) ex.(f) is a subterm of one of the terms 

(b) no free variable of ex,(f) is bound by a containing e-term in 

2. ex.(f) was not introduced by a ^-rule, and 

3. the e-rule has not previously been applied for ex.cf) on this branch. 

For instance, given an atom 

p(f(ex.q(x, y)),ex.r{g(ey.s(x, y)))) , 

the e-rule is applied for ex.q{x,y) and ex.r{g{ey.s{x,y)))^ but not for ey.s{x,y)^ 
as the variable x is bound in the containing e-term. Note, that these restrictions 
ensure, that the e-rule is not applied at all, if there are no e-terms in the original 
problem. Of course, the e-rule is also sound without these restrictions. 

Theorem 4 (Soundness of Calculus with 5^- and e-Rules). Let <j) G Fm^ 

he a elosed formula. If there is a closed tableau for using the and e expan- 
sion rules, then <j> is S-valid. 

Proof. The proof follows the proof for the classical free- variable tableau calculus 
with the ^+-rule, see [7]. An S-structure S = (V,1,A) is said to satisfy a tableau 
T, if for all variable assignments f3 :'V ^ T> there is a branch on which <S, fl 
for all formulae <j> on the branch. We must show, that if S satisfies T, then S 
also satisfies any tableau constructed by the application of an expansion rule. 
Here, only the 6^- and e-rules are interesting. 

If is constructed by applying the ^^-rule for a formula ^x.<j> on a branch 
B of T, and S = (V,1,A) satisfies T, let /? : V ^ P be a variable assignment, 
and Bo a branch, such that all formulae on Bq are valid under S,f3. If Bq 
and B are not the same, the branch Bq has not changed, and we are finished. 
Otherwise, we show that the new formula on B is also valid under S,f3. We 
know S,f3 \= 3x.(f). From Def. 4 we get S,f3{x ^ A{ex.(f), fl)} \= (p, and with 
Ydl{S , fi , ex .(p) = A{ex.(p,fl) and substitutivity, we have <S, P N [ x/ex.(p](p, what 
we needed to show. Note that there can be no problems with collisions between 
free variables in ex.(p and bound variables in (p, as any free variables in (p must 
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have been introduced by a 7 -rule, and are thus new with respect to any quantified 
variable. The case for is, of course, analogous. 

If B is extended using the e-rule, yielding two extended branches, and S,f3 
satisfy every formula on B^ there are two cases: 

1 . SJJ\= 3x.(f). Then, due to Def. 4, we have S,f5{x ^ A{ex.<j),f5)} |= 0, and 
as in the ^^-case, it follows that S,f3\= [x/ex.(f)]<P- So S,f3 satisfy all formulae 
on the right branch. 

2. S,f3 ^ 3x.(f)- Then we obviously get <S, and S,f3 satisfy all 

formulae on the left branch. 

The rest of the proof is identical to the one without e-terms. □ 

If the formula <j) to be proved does not contain e-terms, the e-rule can never 
be applied, so this theorem also proves the soundness of the 4^-rule, if e-terms 
are used for 3-quantifier elimination only. Also note that the restrictions of the 
e-rule were not used in this proof. 

Theorem 5 (Completeness of Calculus with 6^- and e-Rules). Let (f> G 

Fm^ he a elosed S-valid formula. Then there is a closed tableau for using the 
and e expansion rules. 

We do not give the proof of this theorem here, as it is rather lengthy and 
technical. A full proof is given in [ 6 ]. Here, we only point out the two main 
difficulties: 

— While the Hintikka-set construction proceeds as usual, the definition of an 
S-structure satisfying all formulae of the Hintikka-set poses some problems: 
if we chose the set of all closed terms as carrier set, we would have to apply 
the e-rule to all possible closed e-terms to ensure completeness, contrary 
to the restrictions of the e-rule. So we need to limit ourselves to all closed 
terms occurring in atomic formulae of the Hintikka-set. But then, it becomes 
difficult define the structure in a way that ensures substitutivity for all e- 
terms and not only for the ones constituting the carrier. 

— The restrictions of the e-rule make lifting a trifle more complicated: in the 
ground version, we restrict the application of the e-rule to closed e-terms 
occurring in atomic formulae on the current branch. When we lift a ground 
tableau, these closed e-terms may disappear into a free variable that has 
not yet been instantiated when the e-rule is applied. In this case, we must 
show, that there must be a corresponding e-term - possibly containing not- 
yet- instantiated free variables - somewhere else on the branch. This is the 
case because the free variable in question will at some time be instantiated 
by unification, so the instance is necessarily ‘somewhere’ on the branch from 
the beginning. Of course, the formal proof is a little involved. 

4.2 A Complete Calculus for the Extensional Semantics 

We have argued, that the extensional semantics is more intuitive than the substi- 
tutive one. Thus, it would be good to have a complete calculus for the extensional 
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semantics too. We now present such a calculus, but it will turn out that it is not 
suited for use in an automated theorem prover. 

We obtain a complete calculus for the extensional semantics, if we add an- 
other tableau expansion rule to the calculus described in Sec. 4.1, namely 



-^Wz.{[x/z](j) ^ [y /z](j)^) I ex.(j) = ey.(j)' 

referred to as the ext expansion rule.^ Intuitively the rule says that, whenever we 
can show that the equivalence of two formulae is a consequence of the current 
branch, we can identify the values of the corresponding e-terms. Together with 
any complete set of rules for equality handling, this yields a sound and complete 
calculus for the extensional semantics, as is shown in [6]. (The completeness 
proof is much easier as that of Theorem 5, as we do not impose any restrictions 
on the application of the ext or e-rule.) 

There is a number of problems with the ex^rule: 

— We currently do not know - though it seems plausible - whether the rule 
remains complete if we restrict its application to e-terms already occurring 
on the branch. 

— Even if this were the case, it would have to be applied to any pair of occurring 
e-terms, which would give rise to a quadratic number of rule applications. 

— The formula introduced on the left branch is a 4-formula, leading to the 
introduction of another e-term, which would in turn have to be taken into 
account for the ex^rule. Maybe, it is not necessary for completeness to apply 
the ex^-rule to these new e-terms, but that is not yet known. 

— Most possible applications of the e-rule would be completely useless for a 
proof, as two formulae are normally not equivalent. Each such unnecessary 
split would at least double the size of the proof. 

Clearly, the ex^rule is as dangerous for a machine to apply as a non- atomic cut! 
Unfortunately, there does not seem to be any other way to cope with extensional 
semantics. 

In the setting of an integrated automated and interactive proof system, we 
decided to adopt the following view: human users may consider e-terms to have 
extensional semantics. They are given a complete calculus including the ex^-rule 
for interactive work. The automated part of the system uses the calculus de- 
scribed in Sect. 4.1, which is not complete for the extensional semantics. But 
thanks to the Hierarchy Theorem 2, it is sound: any S- valid formula is also 
E-valid. And we also provide a precise semantie characterization of the incom- 
pleteness, namely the automated system can find proofs only for theorems that 
are not only E-valid, but also S- valid. 

^ This rule was designed for a logic with equality. In a logic without equality, exten- 
sionality could be handled with a rule like 

ip(ex.(p) 

-n\/z.{[x/z]4>^ [y/z]4>') I ' 
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5 Conclusion 

The idea of eliminating existential quantifiers by means of e-terms is known 
for decades. So far, however, this concept is not used (on an object language 
level) in frameworks for automated deduction. Traditionally, most approaches 
there deal with Skolem terms instead, e.g. in the context of ^-rules. Compared 
to simple (i.e. earlier) versions of Skolemization, the e-terms seem to be more 
complicated. During the last years, on the other hand, the investigation into 
more efficient ^-rules lead to more sophisticated Skolemization techniques. We 
interpret this evolution as a movement towards e-like behaviour. Therefore, in 
this paper we proposed to use e-terms themselves in the context of automated 
theorem proving, as they have several desirable properties. Compared to Skolem 
terms, the representation of some information about the ‘chosen’ element is 
shifted to the level of the object language. Therefore, the origin and usage of 
that information is made transparent. For the same reason, object language 
operations like substitution can be applied to this information. (This exactly is 
the reason for the exponential speedup discussed in Sect. 2.2.) 

Moreover, the usage of e-terms enables us to add a property like extension- 
ality, if desired, by just adding a rule to the calculus. This is the consequence 
of the semantic hierarchy presented in Sect. 3 and the corresponding rules of 
Sect. 4. We discussed the suitability of these different variants of an e-calculus 
for automated proof search. Here, we want to add that substitutivity on the one 
hand and extensionality on the other hand can be seen as the extremes of a 
range of e-treatments. Between both, there are other possibilities to exploit spe- 
cial cases of (easily checkable) equivalences. An example for this is the usage of 
the concept of relevant formulae, used in the ^**-rule of Cantone and Nicolosi [4]. 
We believe that e-terms provide a framework in which many possible approaches 
to existential quantifier handling may be expressed. 
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Abstract. A functional notation is not a necessity for a predicate logic 
since a function of n arguments can be represented as a predicate of 
n + 1 arguments. But a functional notation in a predicate logic with 
identity can greatly simplify some assertions , and for this reason a func- 
tional notation is frequently assumed for predicate logics, both first order 
and higher. But a functional notation that is admitted as primitive in 
a predicate logic must of necessity be interpreted as a notation for to- 
tal functions, not partial functions, over the domain of the functions. 
The traditional way of introducing a notation for partial functions into 
a predicate logic with an assumed or defined identity is using the no- 
tation (tx)F of Russell’s definite descriptions that is read “the x such 
that F”. But the traditional manner of introduction requires the treat- 
ment of what Quine has called “the waste cases”; that is when there 
is no X or more than one x such that F. The purpose of this paper is 
to demonstrate that the tableaux method of formalizing logics permits 
the introduction of definite descriptions without the need to provide a 
denotation for waste case definite descriptions. As a result the distor- 
tions of meaning that result from Quine’s treatment of the waste cases 
is avoided. The technique is illustrated by introducing a notation for 
partial functions into an impredicative version ITT of the simple the- 
ory of types. The resulting logic ITT/ is shown to be a conservative 
extension of ITT. The tableaux proof theory of ITT is of independent 
interest both for its motivation and for the strength of its proof theory. 
The logic has a nominalist motivation appropriate for a logic intended 
for applications in computer science. Its extension of the membership 
of the type of the individuals of the simple theory of types avoids the 
abuses of use and mention that can result when higher order predication 
is given a nominalist interpretation. The proof theory does not require 
an axiom of infinity. As a result, the definition of both well-founded and 
non- well- founded recursive predicates is much simpler than in the simple 
theory of types with an axiom of infinity. 



1 Introduction 

A functional notation is not a necessity for a predicate logic since a function 
of n arguments can be represented as a predicate of n + 1 arguments. But as 
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remarked by Farmer in [6], where he introduces a partial function notation into 
a version PF of the simple theory of types of [1], “Reasoning about functions 
strictly using relations is neither natural nor efficient, since function application 
must be represented in a verbose, indirect fashion. Nevertheless, this approach is 
perfectly adequate if pragmatic concerns are not important. This approach shows 
that the problem of reasoning about partial functions is not a matter of making 
classical logic more expressive. The problem is, rather, to find a notationally 
efficient way of reasoning about partial functions that is reasonably faithful to 
mathematical practice and that upsets the framework of classical logic as little 
as possible.” 

The classical approach to partial functions has been through Russell’s defi- 
nite description [ix)F that is read “the x such that F”. Farmer dismisses this 
approach as well as seven others for various reasons that he describes. He dis- 
misses the classical approach because he believes it requires attention to what 
a nondenoting description actually denotes; that is, to considerations of what 
Quine has called the “waste cases” when there does not exist an x such that F, 
or there exists more than one. [15] 

The purpose of this paper is to demonstrate that the tableaux method of 
formalizing logics permits the introduction of definite descriptions without the 
need to provide a denotation for a nondenoting definite description; consequently 
the distortions of meaning that result from Quine’s treatment of the waste cases 
are avoided. In a tableaux proof theory for a logic, each of the rules of deduction 
is an elimination rule for a logical constant that need only be applied when in 
some sense the constant appears in a principal position. Such a logic can be 
extended to admit Russell’s definite description notation by adding one rule of 
deduction for eliminating the notation when it appears in a principal position. As 
a consequence it is unnecessary to consider interpreting a nondenoting definite 
description. 

The technique is illustrated by introducing a notation for partial functions 
into an impredicative version ITT of the simple theory of types that has evolved 
from [7]. The resulting logic ITT/ is shown to be a conservative extension of 
ITT. A step in the proof of this result is the definition in §6.3 of a mapping of 
some of the terms of ITT/ into terms of ITT. The treatment of partial functions 
in this mapping turns out to be somewhat similar in effect to that of Farmer’s 
logic PF which takes approach (h) of [6]: 

(h) Partial evaluation for [function] terms but total valuation 
for formulas. 

This adds the following two rules to the standard rules of valuation: 

1. A [function] term denotes a value only if all its subterms denote values. 

2. An atomic formula is false if any [function] term occurring in it is nonde- 
noting. 

However, ITT/ provides a more flexible treatment of partial functions than does 
PF, since there is no sharp distinction between the treatment of partial and of 
total or many- valued functions. 
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The tableaux proof theory of ITT is of independent interest both for its 
motivation and for the strength of its proof theory. The logic has a nominalist 
motivation appropriate for a logic intended for applications in computer science. 
Its extension of the types of the simple theory of types avoids the abuses of use 
and mention that can result when higher order predication is given a nominalist 
interpretation. The proof theory does not require an axiom of infinity. As a result, 
the definition of both well-founded and non-well-founded recursive predicates is 
much simpler than in the simple theory of types with an axiom of infinity. [8], [11] 

The motivation for ITT, described in §2, has been adapted from [9] and [11] 
where a semantic proof of the redundancy of cut is provided. The syntax of the 
logic is described in §3 and its proof theory in §4. The reader is referred to [8] or 
[9] for a description of its semantics. In §5 some elementary and novel derivations 
of ITT are presented in preparation for the introduction in §6 for the syntax and 
proof theory for the extension ITT/ of ITT with a partial function notation. A 
proof that ITT/ is a conservative extension of ITT is given in §6.4. 

The financial support of the Natural Science and Engineering Research Coun- 
cil of Canada is gratefully acknowledged. 

2 Motivation for ITT 

Consider a form TT of the simple theory of types in which predicates of any num- 
ber of arguments are admitted, but no functions. The types of such a predicate 
logic can be inductively defined as follows: 

1. 1 is the type of individuals; 

2. [Ti,...,Tn] is the type of the predicates with arguments of the types 

"^1 ) * * * ) "Al 5 

n > 0. 

The type [], introduced in (2) when n = 0, is the type of the truth val- 
ues. Apart from notation and the exclusion of functions, these are the types of 
Schiitte’s type theory [16]. 

Although the types of TT are traditionally thought of as necessary for the 
consistency of the logic, the types can just as well be seen to arise naturally from 
the predicate and subject distinction of natural languages, for these become the 
distinction between a function and its argument (s) when predicates are regarded 
as functions with range the truth values. 

Scepticism has often been expressed that a violation of the type restrictions is 
the ultimate source of the paradoxes. For example, in the concluding paragraph 
of [4] Church comments on a remark of Frege’s “... Frege’s criticism seems to me 
still to retain much of its force, and to deserve serious consideration by those 
who hold that the simple theory of types is the final answer to the riddle of the 
paradoxes”. Here an alternative explanation of the paradoxes is offered, namely 
that they result from a confusion of use and mention, and is used to motivate an 
impredicative simple theory of types ITT. The confusion can arise when higher 
order predication is given a nominalist interpretation. This was first suggested 
as a source of the paradoxes in [17] and [18]. 
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2.1 Intensional and Extensional Identity 

Traditionally the basis for an interpetation of TT is the assignment of a set D{r) 
to each type r as follows: D{1) is a given fixed non-empty set of individuals, 
D{[]) is the set of the two truth values, and , r^]), n > 0, is the set of 

all subsets of the Cartesian product D{ti) x ... x D{rn). A predicate of type 
[ri, . . . , Tn] may have as its i’th argument any member of the domain D{ri). 
Intensional and extensional identity are defined in TT: 

=< df > {Xu,v.yX.[X{u) X{v)]) 

=e< df > (Au, vXxi, . . . , Xn.[u(xi, . . . , Xn) ^ u(xi, . . . , Xn)]) 

The type restrictions necessary for the definitions can be expressed as v :t[u] 
and X : [t[u]] for the first, and as u, u : [t[xi], . . t[x^]] for the second. Here 
t[cv] denotes the type of a constant or variable cv that is assigned to it by the 
primitive syntax; and denotes the relationship between a term and its type. 
Using the usual infix notation for the identities, a theorem of TT is: 

lEId ^yX,Y.[X = Y ^ X =e Y] 

where necessarily t[X] 7 ^ 1. The comparable result in the set theory ZF [19] 
is 

lEIdZF h Vx, y.[x = y ^ X =e y] 

where here = is the primitive identity of a first order logic with identity; (lEIdZF) 
is actually a theorem of that logic. 

The converse of (lEIdZF), the axiom of extensionality, is the first axiom in 
the first formulation of ZF. [20] It is traditional to accept the converse of (lEId) 
as an axiom of TT : 

Ext h VX, Y.[X =eY ^ X = Y] 

This may be acceptable for a pure logic, but it is not for an applied logic trying 
to meet the needs of computer science. For in some such applications, the in- 
tension of a predicate is known only informally and its extension is provided by 
data entry. For example, the extension of an Employee predicate in a company 
database is maintained in this manner along with usually a Sex predicate among 
others. From these two predicates the intension of a predicate MaleEmployee can 
be defined, and its extension retrieved and printed. [10] By an accident of hiring, 
however, the two predicates Employee and MaleEmployee may have the same 
extension; but clearly their intensions must be distinguished. For this reason the 
axiom (Ext) concluding the intensional identity of predicates from their exten- 
sional identity is not accepted in ITT. It will be seen that intensional identity 
can be expressed in ITT by lambda convertability. 
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2.2 Nominalism and Higher Order Predication 

In a logic of extensions such as TT, a higher order predicate with predicates as 
arguments is understood to have the extensions of the predicates as arguments. 
But in a logic in which the intension of a predicate is distinguished from its 
extension, higher order predication must be reexamined. 

A nominalist understands a predicate of a universal to be a predicate of a 
name of the universal. For example, a nominalist understands ‘Yellow is a colour’ 
to mean ‘Yellow is a colour- word’; the sentence is understood as a description of 
the use of the word ‘Yellow’ in English. Since computers are consumate nominal- 
ists, nominalist interpretations of languages intended for computer applications 
are needed. But this does require a careful distinction between the use and men- 
tion of predicate names, especially when treating abstraction and quantification. 
For example, in ‘Yellow is a colour-word’ the predicate name ‘Yellow’ is being 
mentioned while the predicate name ‘colour- word’ is being used. An excellant 
discussion of use and mention appears in §4 of chapter one of [15]. 

The distinction between the use and mention of predicate names is main- 
tained in the logic ITT as follows: The types of ITT are the same as the types 
of TT, but the membership of the type 1 of individuals in ITT is an extension 
of the membership of the same type in TT. The extension consists in adding to 
the membership of the type 1 any higher order term in which at most variables 
of type 1 have a free occurrence. For example, a constant P that is a predicate 
name is necessarily of some type r ^ 1 and always has that type in contexts 
where it is used. But since no variable has a free occurrence in it P, P is also of 
type 1 and it has that type in contexts in which it is being mentioned. 

Mentioning the name of a predicate means that the name is implicitly quoted. 
This is the reason why higher order terms that are also of type 1 must be re- 
stricted to those in which only variables of type 1 have free occurrences. For only 
such terms can be given a Herbrand interpretation when quoted. For example, 
let P be a constant of type [1] and x a variable of type 1. Then P(x) is of type 
[], and also of type 1 . As a type 1 term, P(x) is to be interpreted as the func- 
tion with domain and range the type 1 terms in which no variable has a free 
occurrence: The value of the function P(x) for a term t in its domain is the term 
P(t) in its range. Such an interpretation can’t be given for higher order terms 
not satisfying the restriction. For example, if X is a variable of type [1] and c 
a constant of type 1, then X{c) is of type [] but not also of type 1, since X{c) 
cannot be given a Herbrand interpretation. 

2.3 Set Theory and the Lambda Calculus 

For (lEId) to be derivable in TT it is necessary that t [X] ^ 1. Although (lEId) 
is not derivable in ITT when t[X] = 1, each instance of the following sequent 
scheme is derivable when R and S are terms of type r, r 7 ^ 1 , that are also of 
type 1 by virtue of their free variables being of type 1 : 



lEIds 



R = Sh R=eS 
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This scheme is similar to the scheme that would result from all possible instan- 
tiations of (lEIdZF) of ZF. As a consequence, the logic ITT combines features 
from set theory and from a lambda calculus based logic; for this reason it may 
satisfy the requirements for such a logic described in [13]. 

Consider for example the following definitions of zero and successor 

0 < df > {Xu.^u = u) 

S < df > (Au, v/a = v) 

where =: [1, 1]. They are definitions in the style of set theory, but all of Peano’s 
axioms are derivable in ITT including the following pair: 

5.1. hyx,y.[S{x) = S{y) ^ X = y] 

5.2. h Vx.-S'(x) = 0 

Dual typing is critical for their derivations: 0:[1] and S:[l,l], but also 0:1 and 
S(x):l when x:l. But also the lambda calculus definition of ordered pair from [5] 
is available 

{) < df > {Xu/u/w/w{u,v)) 

and the following sequents can be derived 

OP.l. h Vxl, yl, x2, y2.[{xl, yl) = (x2, y2) xl = x2 Ayl = y2] 

OP.2. h Vx, y) = 0 

Just as the sequents (S.l) and (S.2) justify the use of S as a “constuctor” in 
Horn clause definitions of recursive predicates, so do (OP.l) and (OP.2) justify 
the use of ordered pair. Further definitions, derivations and details are provided 
in [8] and [11]. Also provided there is a foundation for recursions. Both well- 
founded and non-well-founded recursive predicates are defined there using a 
decidable set of terms called recursion generators] the technique is demonstrated 
using higher order Horn sequent definitions with computations being defined as 
iterations of recursion generators. This overcomes the complications that arise 
from the need for an axiom of infinity in the applied versions TPS, HOT, and 
PVS of the simple theory of types. [2], [12], [14]. 

3 The Syntax 

The logic ITT is assumed to have denumerably many constants and variables of 
each type. The type of a constant or variable is not displayed but must be either 
declared or inferred from context. For a constant or variable cx,t[cx] denotes its 
type; this is expressed in the usual fashion as cx :t[cx]. 

In the style of [5], special constants introduce the logical connectives and 
the quantifiers. The binary logical connective of joint denial, denoted by j., is 
a special constant of type [[], []]; that is, it is a predicate of two arguments of 
type []; it is the only primitive logical connective needed since the more usual 
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logical connectives can be defined in terms of it. Similarly a special constant V of 
type [[t]] is introduced for each type r; it is the universal quantifier for a type r 
variable. The type of each V is not displayed but must be inferred from context. 
The existential quantifier 3 is defined in terms of V in the usual way. 

Definition of Type Membership 

1. cv :t[cx], for each constant or variable cx;^: [[], []]; and V : [[r]] for each 
type r. 

2. M : . . . ,Tn]&iV : r ^ (MTV) : [n, . . . , r^] , n > 0. 

3. M : [ri, . . . , r^] ^ (Ax.M) : [ * * * ,Tn],n > 0. 

4. M : [ri,...,Tn] ^ M : l,n > 0, provided each variable with a free 
occurrence in M is of type 1. 

The unusual clause (4) results from the nominalist interpretation discussed 
in §2. The type 1 assigned to M in (4) is called the dual type of M. Note that no 
term of type 1 and no variable has a dual type. However a constant c for which 

t[c] 7^ 1 has 1 as a dual type; neverthess, t[c] is always to be understood to be 

the type assigned by the primitive syntax, and never the dual type 1 assigned 
by clause (4). 

By a term is meant a member of a type. Note that a term of type 1 is a 
constant, a variable, or a term of dual type 1 since clauses (1) and (4) are the 
only ones that yield terms of type 1. 

Let N :t[x]. The substitution notation [N/x]M denotes the result of replacing 
each free occurrence of x in a term M by N. The notation can result in changes 
of bound variables within M ; a change is necessary if a free occurrence of x in 
M is within the scope of an abstractor Xy for which y has a free occurrence in 
TV. 

A formula of ITT is a term of type [] . Formulas are the basis for the proof 
theory for ITT. But first the sparse notation of the lambda calculus is extended 
by definitions that introduce notations more common to predicate logics. The 
application notation is “sugared” by the definitions 

M(TV) <df > MN 

M{Nl, ...,N^,N)<df> M{Nu . . . , N^){N), m > 1. 

The prefix notation for is replaced by an infix notation. All of the usual logical 
connectives can be defined from ^ and V which are defined 

<df>[M i M] 

[MW N]<df > [[M iN]i[M i TV]] 

A conventional notation for the universal quantifier is defined: 



Vx.M(x) <df> V(M), 

where M : [t[x]] and x has no free occurrence in M. 
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Here is a definition of formula in the style of [16]: 

1. cn(S'i, . . . , Sn) is a prime formula and a formula if cn : [ri, . . . , and 
Si Ti^{) <i < n. 

2. [F ^ G] is a formula if F and G are formulas. 

3. Mx.F is a formula if F is. 

4. (Ax.T)(S', Fi, . . . , Sn) is a formula if ([S'/x]T)(5'i, . . . , Sn) is a formula and 
S :t[x]. 

That an expression defined in this way is a term of type [] follows from the 
definition of type membership. That a term of type [] can be defined as a formula 
in Schutte’s style follows from the fact that all terms of a typed lambda calculus 
have a normal form. [3] 

The relation of immediate lambda reduction between terms is denoted here 
by >, and allows a— , /?— , and rj— reductions [3]. It is recursively defined as 
follows: 

1. (Xx.M) > (X.[y/x]M), provided y has no free occurrence in M. 

{Xx.M)N > [N/x]M. 

(Ax.(Mx)) > M, provided x has no free occurrence in M. 

2. Let M > N. Then 

.1. MP > NP and PM > PN. 

.2. (Ax.M) > (Ax. TV). 

4 Proof Theory 

The proof theory is presented as a logic of sequents using analytic tableaux 
derivations. The rules for the logical connectives ^ and A and for the quantifier 
V are the usual; rules for the other logical connectives and the quantifier 3 are 
left to the reader to derive. Rules are added for A removal. The proof theory can 
be seen to be equivalent to the theory presented in [8], [9] and [11]. 

— I — I — I F 



F 

A [F A G] [FA G] 

F G 

V Va;.F 



-[FaG] 

-■A 

~iF ~iG 

-Nx.F 



[T/x]F 

T :T[a;] [the eigenterm] 



-V 



^[y/x]F 

y :t[x] and is new 
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A 


F 








G 


~iA 





where for each rule, F > G. 

An analytic tableaux based on a sequent Fi, . . . , Fm h Gi, . . . , Gn has initial 
nodes consisting of a selection from the formulas Fi, . . . , F^, ^Gi, . . . , ^Gn- A 
branch of an analytic tableaux is closed if there is a closing pair of nodes F and 
^F on the branch. An analytic tableaux is closed if each of its branches is closed. 
A derivation of a sequent is a closed analytic tableaux based on the sequent. 

By a subsequent of a sequent is meant one with possibly some formulas 
removed. It is not difficult to establish that if a sequent has a derivation then a 
derivation exists for a subsequent in which each branch of the derivation has a 
single pair of closing nodes and every node of the derivation has a descendant 
that is a member of a closing pair. For the remainder of the paper by a derivation 
is meant a derivation with these two properties. 



5 Example Derivations 

The following notational conventions will be followed. Strings of lower and upper 
case Latin letters and numerals beginning with the letters n, 'c, ic, x, and z 
are variables. When a term is known to be a formula, the types of constants 
and variables occurring it it can often be inferred and in these cases will not 
be declared. Strings which are not variables may be used, along with special 
symbols such as = and < , as names of predicates introduced by definition. Such 
a string may often be assumed to be polymorhic since the type of a predicate 
and the relationship between the types of its arguments can often be determined 
from its definition. 

The following type and type declaration notation will be used here and in the 
remainder of the paper. The notation r denotes a sequence of n types ri, . . . , r^, 
for some n > 0; thus [r, r] is the type [ti, . . . , r]. A type declaration z : r 

is to be understood as declaring that z is a sequence zi, . . . , of distinct vari- 
ables of types Ti , . . . , respectively, and a declaration s : r that 5 is a sequence 
5i, . . . , of terms of types n, . . . , respectively for some n > 0. 

A Derivation of (lEIds) of 2.3 



Here is a full annotated derivation. 
R=S 
=e S 

{\u,v.^Z.[Z{u) Z{v)]){R,S) 

[Xuy^Z\Z{R) ^ Z{v)])[s) 
^Z\Z{R) ^ Z{S)] 

T{R) T{S)] 



initial node 
initial node 
df = 

A 

A 

V with T < df > Xw.R =g w 
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L R 



-.T{R) 




^(AtO.R=e w){R) 


df T 


=e R 


~iA 


-<yz.[R{z) ^ R{z)] 


df =e 


^[R{z) ^ R{z)] 


-V 


^ j?( 2 )] A [R{z R{z]] 


df AS- 


LL LR 

^[R{z) ^ R{z)] 




m 




^R{z) 




LR 

repeat LL 




R 




T{S) 




{Xw.R=e w){S) 


df T 


R=eS 


A 



A Derivation of (S.l) of 2.3 

An abbreviated derivation follows: 
~''ix,y.[S{x) = S{y) ^ X = y] 
^[S(x) = S(y) x = y 
S{x) = S{y) 

^x = y 



s{x) =e 5(y) ^S{x) =e 5(y) Cut 

V^.[5(:c)(2)o5(y)(2)] S{x)=eS{y) lEIds 

[S'(a;)(y) o S{y){y)] ======== 

W{y){y) -t S'(a;)(2/)] 



^S{y){y) S{x){y) 

^y = y X = y 



A Derivation of (S.2) of 2.3 

->'ix.^S{x) = 0 
^^S(x) = 0 
^(a;) = 0 
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S{x) =e 0 ^S{x) =e 0 Cut 

yz.[S{x){z) ^ 0(z)] S{x) =e 0 lEIds 

[S{x){x) ^ 0(x)] ====== 

[5'(a;)(a;) 0(a;)] 



^S{x){x) 0{x) Cut 

^X = X ^X = X 



6 Functional Notations 

An implicit notation for functions is available in ITT in the form of higher order 
terms that are also first order terms. The term S defined in §2.3, for example, was 
used in this way in the derivations of (S.l) and (S.2) in §5: For a first order term 
t, S(t) is a first order term. ITT is extended here to a logic ITT/ with an explicit 
partial function notation for functions with arguments of any type and values of 
type 1. A simplified version of Russell’s notation for definite descriptions is used 
to introduce the functional notation. It makes use of the following definition in 
which =: [1,1]. 

3\y.F < df > 3y.[F Ayx.[[x/y]F y = x]] 



6.1 Syntax and Proof Theory of ITT/ 

The notation introduced in the second paragraph of §5 is used in the following 
definition of the terms of ITT/: 

1. A term of ITT is a term of ITT/ of the same type. 

2. Let T : [o', 1] and 5 : o' be terms of ITT/. Then fT(s) is a term of ITT/ 
of type 1. 

3. M : [t,ti, . . . : r ^ (MN) : [n, . . . , , n > 0. 

4. M : [ri,...,Tn] ^ (Xx.M) : [t[x], ri, . . . , r^], n >0. 

The terms fT{s) are called /-terms. Note that (3) and (4) are (2) and (3) 
of the definition of type membership in §3, while (4) from §3 does not apply 
to terms in which /-terms occur. Using Russell’s notation, the /-term fT{s) 
would be expressed as {tx)T(s^ x)^ where x : 1 has no free occurrence in T(s). 
Thus the / notation takes advantage of A abstraction and assumes that the 
n + I’st argument of the predicate T is used for the value of the function to be 
represented. 

6.2 The Proof Theory of ITT/ 

The definition in §3 of the lambda reduction relation > on the formulas of ITT 
is extended to the formulas of ITT/ by defining: If R> G, then fR > fG. The 
domain 6T of the partial function /T obtained from a term T : [d, 1] is defined 
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ST <df > Xu3\x.T{u,x) 



The rules of ITT given in §5 are also rules of ITT/. One additional rule 
permits the removal of /-terms: 

[fT{s)/x]F 

f 

3x.[T{s,x)AF] ^dT{s) 

where x is a variable without a free occurrence in T{s)^ and no /-term 
has a free occurrence in T(s). 

The term fT{s) is called the removed term of an application of the rule. The 
closure condition on a branch of a tree of ITT/ is exactly the same as that for 
ITT; that is, a branch is closed if there is a closing pair of nodes F and ^F on 
the branch, where F is a formula of ITT. Thus for a branch to be closed, it is 
necessary to have a closing pair of nodes in which /-terms do not occur. 

Examples As noted before, S can be understood to be a total function; that is 
the following sequent is derivable: 

1) h Vx.3!y.5(x) =y 

The inverse of S' is a partial function, the “destructor” for the “constructor” 
S. It is /IS where IS is defined to be Xu^v.u = S{v). That is, the following 
sequent is derivable: 

2) h Vx./IS(S(x)) = X 

An abbreviated derivation follows: 

-Vx.//S(S(x)) = X 
^flS(Six)) = X 



3y.[ISiSix),y)A^y = x] 
[IS{S{x),y) A^y = x] 
IS(Six),y) 

^y = x 
S{x) = S{y) 
x = y (S.l) 



^5IS{S{x)) 

^{Xu3\x.IS{u,x)){S{x)) 

^3\y.IS{S{x),y)) 

^3y. [IS{S{x), y)) A V^. [IS{S{x), z) ^ z = y\\ 
^[IS{S{x),x)) A^z.[IS{S{x),z) -Az = x\] 



-Aiz.[IS{s{x),z) -A z = x] 
IS(S(x),z) 

^z = X 

S(x) = S(z) 

X = z (S-1) 



^IS{S{x),x)) 
<S{x) = S{x) 
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The following sequent, on the other hand, is not derivable because of (S.2): 

3) h 3y./IS(0) = y 

6.3 Translating a Derivation in ITT/ to a Derivation in ITT 

A term of ITT/ that is not a term of ITT is called an /-extended term. Thus one 
or more /-terms occur free or bound in an /-extended term. An /-term /S in 
which no /-term has a free occurrence is said to be /-prime. A prime component 
of an /-extended term T is an /-prime /-term /R for which for some variable x 
and term T' in which x occurs free, T is [fR/x]T'. Since all the /-prime /-terms 
can be linearly ordered, it is possible to define the first prime component of an 
/-extended term that is not /-prime. 

A mapping * of some terms of ITT/ into terms of ITT is defined: 

1. If R is a term of ITT, then is R. 

2. Consider the formulas of ITT/ that are not formulas of ITT. 

(a) If c'c(S'i,. . . , Sn) is /-prime then *c'c(S'i,. . . , Sn) is cv{^Si^. . . , ^S'n)- 
Otherwise let /R be the first prime component of cv{S \^ . . . , S'n)- 
Then ^cv{S \, . . . , Sn) is A [^R{x) A ^cv{S [, . . . , 5^)], where 
Si is [fR/x]S'-^ and fR has no free occurrence in any S'-. 

(b) is -1 * F, A G] is A *G], and *Vx.F is Vx. * F. 

(c) *(Ax.T)(5, 5i, . . . , Sn) is *[5/x]T(5i, . . . , 5^) 

3. Consider the /-prime terms of ITT/ of type [r], where is r not empty, 
that are not terms of ITT. 

(a) *(M7V) is 

(b) *(Ax.T) is (Ax. *T) 

The case of an /-prime term of type 1, that is not a term of ITT, is not 
considered since such terms cannot exist. For an /-term can only be bound by 
A-abstraction, and A-abstraction cannot be applied to a term of type 1. Thus 
is a formula of ITT for each formula F of ITT/. 

6.4 ITT/ is a Conservative Extension of ITT 

This section is devoted to a proof that ITT / is a conservative extension of ITT ; 
that is, to a proof of the following theorem: 

Theorem 

A sequent of ITT that is derivable in ITT/ is derivable in ITT. 

Proof 

Let Derv/ be a derivation in ITT/ of a sequent of ITT. Each node H of Derv/ 
is replaced by to produce a tree *Derv/ of formulas of ITT that may not be 
a derivation in ITT. 
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Lemma 

Let F be the premiss and G the conclusion of a single conclusion rule other than 
V, or let G and H be the two conclusions of ^A, or of / with a removed term 
that is /-prime. Then h and h *G, are derivable sequents of ITT. 

The lemma follows immediately from the definition of * for all the rules other 
than /. The sequent for the /-rule, namely ^[fR/x]F h 3x.[^R{x) A *F], SR 
where R is /-prime, can be shown to be derivable for any F by induction on the 
definition of F, thus also when F is replaced by ^F. 

The V-rule has been excluded from the lemma because its premiss \/x.F may 
be a formula of ITT while its conclusion [T/x]F may not. But note that if T 
is /-prime, then ^[T / x]F is [*T/x]F which is a formula of ITT if F is. Thus in 
order to construct a derivation of ITT from the tree *Derv/, it is sufficient to 
show that each application of V in Derv/ with an eigenterm that is not /-prime 
can be justified in *Derv/. The proof proceeds by induction on the number of 
prime components that can be extracted from T with the case of zero prime 
components being immediate. 

Consider a first application of V in Derv/ for which the premiss Vx.F is a 
formula of ITT and the conclusion [T / x]F is not. Let fR be the first prime 
component of T so that T is [fR/u]T'^ for some term T' in which fR has no 
free occurrence. There are two cases to consider: 

a) There is no application of / with premiss a descendant of [[fR/u]T'/x]F 
in which fR is the removed term. In this case consider each free occurrence of 
fR in [[fR/u]T'/x]F^ and in each descendant [fR/u]G. All these free occur- 
rences may be replaced by a first order constant. The result is a derivation in 
which T' has one fewer prime components than T does. 

b) There is an application of / with premiss a descendant [fR/u]G of 
[[fR/u]T'/x]F with fR the removed term. 

By induction on the number of applications of rules used to obtain [fR/u]G as 
a descendant of [[fR/u]T'/x]F it can be proved that the application of / with 
premiss [fR/u]G can be replaced by an application with premiss [[fR/u]T'/x]F. 
Thus the chosen application of V can be assumed to appear as follows in Derv/: 

Vx.F 

[[fR/u]r/x]F V 



3u.[R{u)A[T'/x]F] ^SR 

Tree 1 Tree 2 



Before translation by *, this portion of Derv/ is first transformed to 
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Mx.F 

\\c/u]T^ /x]F V where c : 1 



[[fR/u]r/x]F ^[[fR/u]r/x]F Cut 

t 



3u.[R{u)A^[T'/x]F] ^6R 

[R{w) A ^[[w/u]T' /x]F] Tree 2 f 

^[[w/u]T'/x]F] 

[[w/u]T'/x]F V 

=======t 

The nodes of f and of the tree Tree 2 f are obtained respectively from the 
corresponding nodes in Derv/ and Tree 2 as follows. Consider the free occur- 
rences of fR in nodes of and Tree 2 that are descendants of [[fR/u]T'/x]F 
and that correspond to free occurrences in [[fR/u]T'/x]F. The nodes of f 
and of the Tree 2 f are obtained from and Tree 2 by replacing each such free 
occurrence of fR by c. 

Each of the terms [c/u]T' and [w/u]T' in the conclusions of the applications 
of V in the transformed Derv/, has one fewer prime components than T. Since 
the “closure” indicated by === f is a proper closure in *Derv/, this completes 
a proof of the theorem. 

End of proof 



3u.[R{u)A[T'/x]F] ^6R 

Tree 1 Tree 2 
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1 Introduction 

First-order logic with equality is one of the most pervasive logics in use, whether 
in mathematics, logic or computer science. For real applications, however, auto- 
mated provers need to be complemented with axioms of interest, e.g. for arith- 
metic, or for associative-commutative operations. It is then interesting to build 
these axioms inside the prover itself, for performance reasons. This has been 
done for a variety of theories, whether equational [13] or not [14]. 

One form of theory that has not yet been investigated is that of datatype 
constructors. Consider for instance the specification of the type nat of unary 
integers and nat list of lists of unary integers in Standard ML [9]: 

datatype nat =0 I S of nat; 

datatype natlist = nil | cons of nat * natlist; 

This specifies a many-sorted signature 0 : nat, S : nat — ^ nat, nil : natlist 
and cons : nat X natlist — natlist. This also states that the only ground 
terms of sort nat are those built up using 0 and S, and that the only ground 
terms of sort natlist are those built up using nil and cons atop ground terms 
of sort nat. This can be expressed by structural induction schemes: 

V/iiat^o- T'(O) A (Vr^nat ' P{n) 3 P(S(n))) 3 Vunat • P{n) 

V/iiatlist^o- T'(nil) A (Vr^nat,^ natlist • P{P) 3 i^(cons(n, £))) 3 natlist ■m 

The ML declarations above also imply that distinct ground terms always denote 
distinct values. This can be described by non- confusion axioms is equality): 

Vn^at • -iS(n) 0 Vrrinat, u^nat ' S(m) ^ S{n) D m ^ n 

VGatlist , UT,nat • ->COns(m,£) Uil 

VGatiist,^iatiist,^nat,u^af cons(m,£) cous(n,£^) Di^PAm^u 

and also e.g. Vnnat * ^ S(n), which forbid cycles and are inductive conse- 

quences of the above. Symbols like 0, S, nil, cons that obey non-confusion are 
usually referred to as free constructors of the datatypes nat and natlist. 

These theories are very natural, and have been considered elegant founda- 
tions for inductive datatypes both in programming language design and in proof 
assistants, like Coq [1]. Recently, frameworks for analyzing and proving prop- 
erties of cryptographic protocols [3,12] also used similar inductive definitions: 
messages are typically described as the following datatype msg: 



Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 202-216, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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datatype base = K of key | . . . ; 

datatype msg = B of base | P of msg * msg | C of msg * key; 

where key is some type of encryption keys, and the informal ellipsis . . . 
indicates that there may be other base messages than keys: there is no induction 
principle on base. Encrypting a message m with a key k is done by applying 
the constructor C, viz. C(m,/^); that C is a free constructor automatically implies 
the desired features that an encrypted message cannot be confused with a pair 
or a base message (-iC(m,/^) P(mi,m2), ^C{rn,k) zz B(6)), that there are no 

semantical overlaps between encrypted messages (C(mi, /^i) C(m2, A:2) D rni ^ 

m 2 A ki ^ /^2), and that there are no cycles, in particular we cannot decipher a 
message by encrypting it repetitively (-iC(C(. . . C(m, ki) , kn-i),kn) ^ rn). 

Working with non- confusion axioms atop a generic first-order prover is awk- 
ward, and it is fruitful to build them in. This is all the more desirable, as the 
semantics of free constructors is extremely simple: take any (many-sorted) Her- 
brand model, and insist that equality denote exactly identity on ground terms. 
We introduce a new sequent system, LKc~, for theories with free constructors 
and equality, and where non-confusion axioms are built in; our motto here is 
simplicity, and we believe that LKc~ is as simple as the semantics allows. 

The paper is organized as follows: we introduce all preliminary notions in 
Section 2, and vindicate the rules of our sequent system LKc~ in Section 3. 
LKc~ is a sound, complete proof system for first-order logic with equality and 
free constructors. We show this in Section 4, and also that cuts can be eliminated. 
The latter is indispensable if we are to derive a practical tableau calculus from 
LKc~, a task which we defer for lack of space. We give a short tour of related 
ideas in Section 5, and conclude in Section 6. For space reasons, we won’t consider 
structural induction, and most proofs are abridged; see [7] for details. 

2 Preliminaries 

Let <S be a fixed set of sorts r, r^, ri, . . . , and C be a fixed set of function 
symbols c, d, . . . , which we call constructors. Each constructor c is given a 
unique arity o;(c), which is an expression of the form ti x . . . x Tn ^ r. Let V be 
a set of so-called variables . . . ; we assume that for each sort r, there 

are infinitely many variables with r as subscript. The pre- terms t are defined 
inductively as either variables Xr or applications c(ti , . . . where ti, . . . , 
are pre-terms. We define a typing judgment : r by the following rules: >Xr : r, 
and >c(ti , . . . ^tn) T whenever o;(c) = n x . . . x ^ : ri, . . . , • ^n- 

The terms are the pre-terms t such that \>t : r for some r. In this case, r is 
unique; we call it the type of the term t. When the type r of x^ is understood, 
we also drop the sort subscript and write x. The set fv(t) of free variables of t is 
defined in the usual way. A term t such that fv(t) = 0 is called closed or ground. 

A substitution a is a map from variables to terms of type r such that 
a{x) = X for all but finitely many variables x. The domain doma of a is {x G 
V I cr{x) 7^ x}. The notation [xi := ti, . . . := tm] denotes the substitution 
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mapping each to 1 < i < m, and mapping every other variable y to y; in 
particular, [] is the identity substitution. Let U be the set of all substitutions. 

Substitution application 1 1 -^ ta is defined by xa =df cr(x), c(ti , . . . ,tn)(J =df 
c(ticr, . . . ,tncr). The composition aa^ of a and is the unique substitution such 
that t(aa^) = (ta)a^ for all t; this defines a monoid law, with [] as unit. The 

relation ^ defined by a ^ aa^ is then a preorder: we say that a is more general 

than aah We write a = iff a ^ and ^ a. 

A system of equations E is any finite set of equations s ^ where s and 

t are terms of the same type. E^E' denotes the union of E and Eh A substi- 
tution a unifies E, or is a unifier of iff sa = ta for every s t \n E. a 
is idempotent iff fv(a(x)) n doma = 0 for every x e doma; this implies that 
aa = a. It is well-known [15] that every unifiable system of equations E has 
an idempotent most general unifier^ or mgu a^. Conversely, any substitution 
O' =df [^1 •= •= tm] with doma = defines a unique 

system of equations a =df {xi ^ ti, . . . ,Xm ^ Let rngu be any function 
mapping each unifiable system E of equations to an idempotent unifier of E. 

Let _L be an element outside L\ designed to represent non- unifiable systems. 
Extend ^ so that a ^ _L for every a G E. We may then extend the mgu function 
so that mgu{E) = _L for every non- unifiable system E. Let also _L =df -L, and 
extend again the mgu function so that rngu{E^ E) =df -L, mgu{E^E) =df -L. 
This makes L\ =df EU {_L} equipped with the pre-order ^ a meet-semi-lattice 
with bottom element _L, meet H defined by a H =df mguia^E) for every 
a, G E^. For readability, we shall again write mgu(a^a') for a \1 ah 

We build atomic formulae using predicate symbols . . . , taken from 

a fixed set V; each predicate symbol is equipped with an arity a{P) = n x 
. . . X Tn ^ where o is the type of propositions, assumed not to be a sort. The 
atoms are either non- equality atoms ^ which are expressions of the form 

P{t\, ... fin) where P is as above, and \>ti : ri, . . . , \>tn : or equalities s ^ 

where s and t have the same type, whatever it is. We assume that is not in V. 

Formulae G, . . . , are built upon atoms using 0 (false), D (implication), 
and Wx- (universal quantification) in the usual way; ^E abbreviates F' D 0, and 
3 associates to the right. For conciseness, we see A, V, 3x- as defined connectives. 

Our algebra of sorts is designed to keep type-checking and unification prob- 
lems simple. Undoubtedly, we can enrich the type system, but this comes at a 
price, and it is not our purpose to pay for it here. 

To sum up (the role of (p will be explained later): 

Definition 1. A language is a tuple {C^V where C fl P = 0, {^) ^ V; 
the arity function o; maps each element c e C to an expression of the form 
Ti X ... X Tn T, and each element P e V to an expression of the form 
Ti X . . . X Tn ^ o; and <j) maps each P eV such that a{P) = n x . . . x Tn ^ o 
to a set of subsets o/{l, . . . ,n}; these subsets are called the functionalities of P. 
We assume that for every sort r, there is at least one ground term of type r. 

The Tarskian semantics of this language is as usual. An interpretation i is a 
family 1 (r) of pairwise disjoint non-empty sets indexed by sorts r, a function 1 (c) 
from I{ti) x ... x /(r^) to /(r) for each constructor c, of arity ri x . . . x ^ 
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r, a subset I{P) of i(ri) x ... x I{rn) for each predicate symbol of arity 
Ti X . . . X Tn ^ o, and a subset 1{'^) of |J^ i(r) x l{r). Valuations p map 
variables to elements of I (r). The semantics I [t|p of terms t is: I [xjp =df p{x)^ 

. . . ,tn)]p =df The semantics of formulae is given 

by: l,p 1= F{ti,...,tn) iff (i [tijp, . . . , G I{F), and I,p ^ s ^ t 

(/[s|p, /|t|p) G /(^), and logical connectives are defined as usual. We write 
I \= F iS I , p \= F for every valuation p. 

An equational interpretation 1 is such that l,p 1 = s « t iff l[s]p = 
i.e. such that = {(^,^) | v G |J^/(r)}. We shall also be interested in 

interpretations that are /ree, in that they obey non-confusion [4] : 

Definition 2 . An interpretation I is free ijf: 

whenever /[c(si , . . . , Sm)\p = , . . . , tn)\p, then c = d, m = n, and = 

for every i, 1 < i < rn; 

and whenever l\x\p = l\t\p, then either x = t or x is not free in t. 

3 Design of LKc^- 

Because our domains are free, an equation c(si, . . . , Sm) ^ d{t\^ ... An) can only 
hold when c = d^ and the equations si ^ ti^ . . . ^ Sm ^ tm hold; also, x ^ t can 
only hold when x = t or when x is not free in t. The astute reader will have 
recognized the basic rules for Martelli-Montanari-style first-order unification [10]. 
So, to prove si ^ t\ D S 2 ^ t 2 ^ replace si ^ t\ by its most general unifier a; if 
S2(7 = t 2 cr, the implication is proved. For example, S{x) ^ S{y) D x ^ y holds 
because rngu{S{x) ^ S(y)) = [x := y], and x[x := y] = y[x := y]. We therefore 
consider sequent s of the following form: 

Definition 3. An LKc~ sequent is a triple a;F \~ A, where a = _L or a is an 
idempotent substitution in F, and F and A are multisets of formulae. 

The substitution part a collects a preprocessed form of some equalities on the left 
of h: the above sequent has the same semantics as the usual sequent a, T h A. 
If a is the identity substitution [], we also write ; T h Z\ instead of []; T h Z\. We 
write S', S^ for the multiset union of S and Sb 

The example above also justifies a refiexivity rule R)^ where a; F \~ s ^ 
t, Z\ is inferred, whenever cr 7 ^ _L and sa = ta. When a = _L, the equalities that 
a represents are non-unifiable, i.e. they are contradictory. For example, consider 
the equation 0 S(x): if it occurs on the left of h, then the sequent is proved. 

Hence we add an absurdity rule (-LT), allowing us to infer _L; T h Z\, whatever F 
and A may be. We must not forget to process the equalities in the F part, and 
have them mix with the a part — this is done by the L) rule, see Figure 1 — 
and we must also allow the system to conclude when the same formula occurs 
in the F and in the A parts, up to equalities represented by a: this is the {^) 
rule of Figure 1. (Recall that, by convention, A and B are non-equality atoms.) 
Finally, note that our use of unification has nothing to do with proof search. 

Adding rules for the logical connectives is all we need to get a sound and 
complete sequent system for first-order logic with equality — i.e., the special case 
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where there are no constructors — , as we shall see in Section 4. On the down- 
side, we do not have any function symbols, apart from constructors: functions 
must be coded as predicates, as in Prolog (say, the binary + function as a ternary 
0(x, y, z) meaning z x^y)^ obeying new axioms, functionality axioms express- 
ing the uniqueness of the result (e.g., Vx, y, z, z^*0(x, y, z) 0 0(x, y , z^) Zi) z z^), 
and totality axioms stating its existence (e.g., Vx,y • 3z • 0(x,y,z)). 

There does not seem to be any clever way of building in totality axioms. 
However, it is possible to build in functionality axioms (this will therefore make 
LKc~ a theory of partial functions). To do this, we equip each predicate symbol 
F with a set (p{F) of functionalities /: / is a set of argument positions for 
F such that, given some values at these positions, the values at the positions 
outside / are uniquely determined. For instance, the predicate 0 above has 
functionality {1,2}, since whenever its first two arguments are given, its third 
is determined uniquely. It also has the functionalities {1,3} and {2,3}; that is, 
^(0) = {{1,2}, {1,3}, {2, 3}}. Formally, if a{F) = ri x . . . x ^ o, (j>{F) is a 
set of subsets of {1, . . . , n}, as announced in Definition 1. 



±:F\- A 



. , , X a 0 J_, Aa = Ba a 0 J_, sa = ta 

(«) -(^R) 



a:r,A\- B,A 



a: r \- s ^ t, A 



o- ^ ±, / e cr ^ _L, Sfa = tfa^ 

mgu{s ^t,a);r\- A a;r,P{si,. . . ,Sn),P{ti, . . . ^ tj^ \- A 

U-,r,P{si,. . . ,Sn),P{tl,. . . ,tn)\- A 



cr; F, s t h Z\ 
a;r,GhZ\ cr;rhF,Z\ 

a; F, Vx • F', F[x \= t]\- A 



(D L) 
(VL) 



a; F, 0 h Z\ 



(OL) 



a; r, P'^G,A 

a-,r'rPDG,A 

a;r h P[x ■- vX ^ 



OP) 
OP) 

a; F h Vxr • F, A 
(y not free in a, F, Vxr ' F, A) 



a;FhF,Z\ a; F, F h A 
a;rhA 



(Cut) 



(«T) 



Fig. 1. System LKc^^ 



Semantically, interpretations will have to respect functionalities: 

Definition 4. An interpretation I respects functionalities iff, for every F eV, 
where cx(F) = ti x . . . x ^ r, for every f e <j>(F), for every Vi,v[ e ffri), 
e if Oi,---,Vn) G 1{P) and G 1{P), and Vi = v[ 

for every i <E f, then w* = w' for every i G {1, . . . ,n}. 
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To express this in the proof system, we add one rule. Given / G let / 

denote given a finite set / =df {i\, . . . ,ik} oi integers, and families 

of terms (5i)->Q, write Sf ^ tf for Si^ ^ ^ The desired 

rule should express that P{si, . . . , Sn) D • • • ,^n) O Sf ^ tf D sjn ^ tjn. 

This is best expressed as a left rule (where / = {ii, . . . ,i^} G 

a; sjn ^ tjr. \- A a;F^ \- Si^ ^ U^,A ... a;F^ \~ Si^ 
a; r, P{si , . . . , 5n) , P{ti , . . . , tn) ^ ^ 

" V ^ 

r' 

But the only (non-trivial) way we can prove an equality Si^ ^ F. is by reflexivity, 
so we simplify this to the rule of Figure 1, where Sfa = tfa abbreviates 
the list Si^a = ^ si^a = tij^a. This terminates the description of LKc~. 

4 Soundness, Completeness 

We shall use the following algorithm C as a guide for proving certain properties 
of most general unifiers: 

(Delete) F^ s ^ s ^ E 

(Checkl) E^x ^ t ^ E {x t^x E fv(t)) 

(Check2) EE ^ ^ ^ F {x E t^x E fv(t)) 

(Bindl) E^x ^ t ^ E[x := t]^x ^ t {x ^ Fr{t)^ x not solved in E^ x ^ t) 

(Bind2) Ep ^ X ^ E[x := t]^ X ^ t (x 0 fv(t), X not solved in E^x ^ t) 

(Clash) E, c(si, . . . , Sm) ^ d(ti, . . . ,tn) ^ -L (c 7 ^ d) 

(Decomp) E, c(si, . . . , Sm) ^ c(ti, . . . Em) ^ E, Si ^ ti, . . . , Sm ^ tm 

This is a variant of Martelli and Montanari’s algorithm [10]. A variable x is 
solved in E iff E is of the form E^ ^ s, where x is free neither in s nor in E^ . 
E is solved if all the variables occurring on either side of any equation in E are 
solved in E. Let be the number of free unsolved variables in E. Let also |£^| be 
the size of E, defined as the sum of \s ^ t\^ {s ^ t) G where |s t\ =df |5| + |t|, 
and the size of terms is defined by: \x\ =df 1, |c(ti, . . . , t^)| =df 1+ |ti| + . . . + |tn|. 
Here, _L is a token denoting the absence of unifiers. 

Any sequence of steps Eq ^ Ei ^ ^ En ^ hy the rules of U ter- 

minates, since each rule makes (#T\ \E\) decrease in the lexicographic ordering. 
Each rule also preserves the sets of all unifiers, and for any maximal sequence 
Eq ^ El ^ ... ^ En of rule applications, E^ must be _L or a solved system 
xi ze ti, ... ,Xk ^ tk] in tho first case, Eq is not unifiable, in the second case 
\xi := ti, . . . := tk] is an mgu of £^o- We might define rngu{Eo) as the output 

of this algorithm, but we wish to prove results independently of a particular 
algorithm. To this end, we use the following facts, stated without proof. 

Proposition 1. Consider the following rule on systems of equations: 

(Swap) E^x ^ y ^ E[y := x]^y x 

The (Swap) rule transforms solved systems E\ into solved systems E 2 that have 
the same set of unifiers, and such that dom E 2 = (dom El \ {x}) U {y}. 
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Proposition 2. Let E a solved system, and a be an idempotent most general 
unifier of E. There is a finite sequence of (Swap) steps leading from E to a. 

4.1 Soundness 

We extend the |= notation: I^p a, where a G iff a 7 ^ _L and I\x\p = 

x)\p for every x. /,/> |= (cr; h Z\) is defined as: if /,/? |= a, and for every 

E m r, l,p \= E, then there is a formula G m A such that l,p |= G. Again, 
I \= {a; r \- A) iff i, p 1= (a; r h Z\) for every valuation p. 

Theorem 1 (Soundness). If a]E \~ A is provable in LKc~, then for every free 
equational interpretation 1 that respects functionalities, for every valuation p, it 
holds : I , p \= {a; r \- A). 

Proof. By structural induction on the proof, looking at the last rule used. We 
only deal with the most important cases: 

— Rule assume a 7 ^ _L, Aa = Ba. To show that I,p \= (c; F^AhB, A) 
for every p, we need to state a few auxiliary lemmas: 

Proposition 3. For every s, t, if sa = ta and I,p\= a, then Ilsjp = 

Proposition 4. For every non-equality atoms A, B, whenever Aa = Ba and 
I , p I — a , then I , p | — A. ^ff I , p | — B . 

Now if i , p \= a and i , p |= for every E in T, A, then in particular i , p |= A, 
and by Proposition 4 i, p |= therefore l,p \= (a; T, A h B, A). 

— Rule R): similarly, using Proposition 3. 

— Rule L): again, we first make a few auxiliary claims. Write I , p \= E to 
say that I, p \= s ^ t toi every equation s ^ t in E. 

Lemma 1. For every system of equations E, for every p, if 1 , p |= E, then E 
is unifiable and I,p |= a, for all idempotent mgus a of E. 

Proof. First, show that E is unifiable by some idempotent mgu ag with 1 , p N o-q: 
(Jo is the mgu that algorithm U computes, under some fixed strategy. The claim is 
proved by an easy induction on {#E,\E\) ordered lexicographically, considering 
whether E is solved or not, and in case E is not solved, by considering each 
of the rules of U in turn. Note that the claim is trivial when E is solved. We 
then show that /, p |= a, for all idempotent mgus a of E. Now, a is obtained 
from E by a finite sequence of rules in U , followed by finitely many instances of 
(Swap), by Proposition 2. We show that I , p \= a hy another easy induction on 
the number of instances of rules that we used, noticing that all rules, including 
(Swap) (by Proposition 1), preserve the set of unifiers. □ 

We now show that L) is sound. Assume that mgu{s ^ t,a); F h A 
is derived. By induction hypothesis: (a) /,p |= {mgu{s ^ t,a);F h A). Now 
assume that: (b) I , p \= a and i,p |= F' for every formula E in F, s ^ t. In 
particular, I , p s t. Moreover, (b) implies J,p \=a, so J,p 1= S « t,cr. By 
Lemma 1, J,p |= mgu{s ^ t,a), whatever the definition of the function mgu. 
Since by (b) I,p \= E for every E in T, by (a) I,p \= G for some G in A. □ 




A Simple Sequent System for First-Order Logic with Free Constructors 209 



4.2 Completeness 

Lemma 2. For every formulae F, G, a;F,F G, A is provable in LKc~ as 
soon as a = 1. or a ^ 1. and Fa = Ga. 

Proof. Easy structural induction on F. (Observe that cannot be used di- 
rectly, since the closing formulae A and B are non-equality atoms.) 

Lemma 3 (Weakening). If a; F \~ A is provable in LKc~, then rngu(a^E); 
F\F h is provable in LKc~, for every system of equations E, for every 

multisets of formulas F^ and 

Proof. By structural induction on the given proof ir of a; F \~ A. Use (-LL) when 
= _L. Otherwise, this is straightforward, using the fact that rngu is associative 
in the case of L). □ 



Theorem 2 (Completeness). If I ^ {a; F h A) for every free equational 
interpretation 1 that respeets funetionalities, then a]F \~ A is provable in LKc~. 

Proof. Let T be the following infinite set of formulae: 

1. (Refiexivity) • x ^ x; 

2. (Symmetry) \/xr • Vy-,- • x ^ y Z) y ^ x] 

3. (Transitivity) Mx^ • - x^y/\y^zZ)x^z] 

4. (FCongruence) Vxi • Vyi • . . . • Wx^ r, • rr^ ' - Vi ^ ^ - Vn ^ 

c{xi , . . . , Xn) ^ c{yi , . . . , yn) for every constructor c of arity ri x . . . x ^ r; 

5. (FCongruence) Vxi • Vyi • . . . • - ViD ^ ^ - Vn^ 

F{xi , . . . , Xn) Z) F{yi , . . . , yn) for every predicate F of arity ri x . . . x ^ o; 

6. (Clash) Wxir^-... rC' " ‘ * --c(xi , . . . ^Xn) ^ d{yi, . . . , Z/^) 

for every distinct constructors of c and d, of respective arities t\X . . .XTn ^ r 
and r[x ... X F ] 

7. (Decomp) Vxi • Vz/i n * • • • * • Vz/^ * c(xi, ...^Xn)^ c(z/i, . . . , Z/n) D 

Xi ^ yi for every c of arity ti x . . . x ^ r, n > 1, and every i, 1 < i < n; 

8. (Check) Vz/i • . . . • Vz/n * zz t for every term t such that x ^ t and x is free 

in t, where . . . , = fv(t); 

9. (Function) Vxi • Vz/i • . . . • Vx^ • Vz/n ' t\Xf ^ yg Z) F{xi, . . . ,Xn) Z> F{yi .•••,yn) 
Z) Xi yi for every predicate P of arity ri x . . . x Xn ^ o, every / G <P{P) 
and every i e {1, . . . , n}; by /\x/ ^ yg D F, we denote the formula x^^ 
yi^Z . . .Z Xi^ - Z/ife D F, where / = {ii, . . . , F}, I < h < . . . < ik < n. 

Say that 1 |= 7' iff i \= E for every E in T. 

Proposition 5. For every interpretation 1 sueh that 1 \= T, there is an inter- 
pretation, the quotient interpretation I /^, whieh is free, equational and respeets 
funetionalities, and sueh that I \= F iff I \= E, for every E. 

Proof. Take for I the quotient of / by the equivalence relation I{^). □ 
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Now assume that: (a) Iq |= (a; F \~ A) for every free equational interpretation 
Iq that respects functionalities. If cr = _L, then a; F \~ A is proved by (-LL). 

So assume that a 7 ^ _L, and let I be an arbitrary interpretation. If I |= 
by Proposition 5 we may take Iq =df I / ^ in so I \= {a; F h A). By 
Proposition 5 again, 1 |= (a; T h A). So 1 |= F implies 1 \= {a; F \~ Z\), hence: 
(b) I \= F \- A) ^ where the latter notation means that for every valuation 

p, if /, p 1= F for every F £ F, then i, p |= G for some G e A. 

Since first-order logic is compact [ 8 ], there is a finite subset Tfin of F such 
that Tfiny'^j F^^A is unsat isfiable, where -iZ\ =df {^G \ G e A}. Consider the 
following system ND: 



yl, F h F 



(Ax) 



A,F\-G 

(D I) 

Ah FdG 



Ah FdG Ah F 
AhG 



(df) 



ylhO 

ylhF 



(OF) 



yl,^F hO 
ylhF 



(— F) 



yl h F[x := ifr] 

(Vi) 

yl h • F 
{y not free in yl) 



yl h Vxr • F >t : T 

(VF) 

yl h F[x := t] 



which is complete in the following sense: for every multiset of formulae yl, for 
every formula F, if / |= (yl h F) for every /, then yl h F is provable. It follows 
that: (c) Tfin,'^, F,^A h 0 is provable in ND. We now translate this ND proof 
into an LKc~ proof. 



Lemma 4. Whenever a is an idempotent substitution, other than A, and Tfiny 
a,AhF is provable in ND, then a;AhF is provable in LKc~. 



Proof. By structural induction on the given ND proof of h F. The 

most important case is when the last rule is {Ax), then F is in F/^n, F or yl. If 
F is in yl, then the result follows from Lemma 2, since a 7 ^ _L. If F' is in a, then 
F is of the form x ^ t, and we derive a; A h x ^ t hy {^ R). Indeed, xa = t 
(since x ^ t is in a) = ta (since a is idempotent). If F G Tfin^ we consider the 
cases of the 9 kinds of formulae in F. We only deal with a few cases (in each 
case, complete by Lemma 3 to get the desired proof): 



3. (Transitivity) 



mgu{x ^ z,y ^ z);h X ^ z 
;x^y,y^ zhx^ 

;h X ^ y A y ^ z D X 'r 



F) 

2x {^ L) 
(AF),(d R) 



; h Vxt • Vpr • hz^ -x^yAy'r 

4. (FCongruence) We go a bit faster now: 



Z D X 'r 



■ 3 X (VF) 



mgvfxi ^yi,...,Xn^ yn); h c(xi, . ..,Xn) ^ c(pi, . . . ,Pn) 

n X {^ L) 

;xi ^ yi,. . . ,Xn ^ ynh c{xi,. . .,Xn) ^ c(pi, . . . ,Pn) 

hxi,yi, . . . ,Xn,yn - Xi ^ yi 3 . . . 3 Xn - Pn 3 c{xi, . .. ,Xn) ^ c(pi , . . . ,Pn) 

where the last line is by (d F) n times, then (VF) 2n times. 
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6. (Clash) Recall that abbreviates F I) 0. If c and d are distinct construc- 
tors, then rngu{c{xi, . . . ,Xn) ^ d{yi, . . . ,ym)) = -L, therefore: 



J_; h 0 



i±L) 



; c{xi,. . . ,a;„) « d{yi, )h0 

; h , Xn) - d{yi , . . . , ym) 



L) 

(3 R) 



; h Vxi • . . . • VXn -dyi ■ • dym • ^c(xi, . .. ,Xn) ^ d{yi,. . . ,ym) 



(n + m) X (VR) 



9. (Function) Let k be the cardinality of /: 



- y{l,...,n});F{3:i,. . . ,Xn),F{yi, . . . ,yn) Xi ^ yi 

n X L) 

^ yf,F{xi, . . . ,Xn), F{yi, . . . ,yn),Xjn ^yjn \~ Xi ^ yi 

^ ^ (^T) 

- yf,R{xi, . . .,Xn),P{yi, . . . ,yn) Xi ^ yi 
; b Vxi,?/ 1 , . . . ,Xn,yn • /\xf ^ yf D P{xi,. ..,Xn)D P(?/i , . . . , yn) D Xi ^ yi 

where the last line uses {d R) k F2 times, and (VR) 2n times. 

When the last rule in the ND proof of Tfin^'^^A h F is not (Ax), then we use 
standard arguments [8] to build an LKc~ proof of a; A h F , using Lemma 3 
and Lemma 2. This uses {Cut) in the cases of (3 F), (VF), (OF), (-i-iF). □ 

By Lemma 4 and (c), a; F, -lA h 0 is therefore provable in LKc~. We then 
deduce a; F \~ A easily, using {Cut) several times. □ 



4.3 Cut Elimination 

Theorem 2 heavily relies on the {Cut) rule. The purpose of this section is to show 
that all instances of {Cut) can be eliminated. We roughly follow [6], Chapter 13. 

Referring to the notations of Figure 1, call a formula occurrence principal in 
a rule if it is explicitly shown in the conclusion of this rule (i.e., if it is not an 
occurrence inside the F or A components), and active in some premise if it is 
explicitly shown in this premise (again, this means not in F or A). 

Define the degree d{F) of a formula F by: ^(A) =df d{s ^ t) =df ^(0) =df 1, 
d{F 3 C) =df max(^(F), d{C)) + 1, ^(Vx^- • F) =df d{F) + 1. In an instance of 
{Cut)^ the occurrences of the active formula F are called the cut formulae. Their 
common degree is called the degree of the cut rule. The degree d{7i) of a proof 
7T is the sup of the degrees of its cut rules, or 0 if tt is cut-free. Let h{7i) denote 
the height of a proof, defined as 1 if it ends in a rule with no premise, otherwise 
as max^(/i(7r^)) + 1, where ranges over all immediate subproofs of tt. 

Proposition 6. Let a be an idempotent substitution, such that sa = s' a and 
ta = t'a; then rngu{s ^ t,a) = rngu{s' ^ t' ,a). 
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Proposition 7 (Substitution Replacement). Assume a = If a] F \~ A 

has a proof of degree d and height h in LKc-^ then so does a' ]F\- A. 

Lemma 5 (Rewriting). If a^F \~ A has an LKc~ proof of degree d and height 
n, a ^ and Fa = F^a, Aa = A a, then a;F^ h A^ has an LKc~ proof of 
degree at most d and height at most n. 

Proof. By structural induction on the given LKc~ proof tt of a; F h Z\, using 
Proposition 6 in case the last rule is L). □ 

Lemma 6 (Weakening) . If a; F \~ A has a proof of degree d and height n 
in LKc~; then rngu(a, E); F\ F h A,A^ has a proof of degree at most d and 
height at most n in LKc-^ for every system of equations E, for every multisets 
of formulas F^ and 

Proof. As for Lemma 3, taking care of degrees and heights. □ 

The main difficulty in showing cut-elimination occurs in the case of quantifier 
rules: we need to show that we can replace variables by terms in proofs without 
increasing the degree or the height of the proof. This will be Lemma 8 below. 

Given two systems of equations E\ and L2, write Ei t- E2 iff E\ is not 
unifiable, or mgu{Ei) unifies E2. For short, we agree that E t- E for every 
system of equations E^ that _L 1- _L, and that 1- _L iff is not unifiable. A 
refiexivity equation is an equation of the form t ^ t. 

Lemma 7 . The following hold: 

(i) If El ■- E2, then E\ai- E2a for every substitution a. 

{a) If Ei^E2*- Es, and E2 is a collection of refiexivity equations, then 1- £^3. 
{iii) If E\a, a E2, then £\ , a ■- £2 • 

{iv) If El, at- E2a, then also Ei,at- £2 . 

(t?) If El I- £3, then £1, £2 ■- £3. 

(m) If 0 is an idempotent substitution, then EiOt- E2O iff Ei, 0 t- £2. 

Proof, (i): let ai =df rngu{Ei) and a[ =df rngu{Eia); if a[ = _L, (i) is clear. 
Otherwise, a[ unifies Eia, so aa^^ unifies £\. Hence ai = rngu{Ei) E aaf Since 
El t- £2, ai unifies £2, so its instance aa'^ also unifies £2; so a[ unifies E2a. 
{ii): let a be mgu{Ei)\ a = mgu{Ei, E2) as well, so a unifies £3. 

{iii)\ let a^ be rngu{Ei,a). Then a^ unifies every equation s t in £\, and 
also s with sa and t with ta (since a^ unifies a); so it unifies sa with ta, and 
this for every equation s t in Ei. So a^ unifies Eia. Moreover, by definition 
a^ unifies a, so unifies Eia, a. Since £10, a 1- £2, a^ unifies £2. 

{iv)\ let a^ be mgu{Ei,a). By assumption, a^ unifies E2a, so unifies every 
equation sa ta, for every s ^ t in E2. Since a^ unifies a, a' unifies s with sa 
and t with ta, so a^ unifies s ^ t, for every s ^ t in E2. Therefore, a^ unifies £2. 

(v): let a be mgu{Ei, £2). Then a unifies £1, so it is an instance of mgu{Ei). 
Since £1 ■- £3, a also unifies £3. 
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(m), if direction: since Ei,0t- E 2 , we have EiO.OOt- E 2 O by (i). But 00 = 
{xO ^ xOO I X G dom 6 ^}. Since 0 is idempotent, xOO = xO^ so by (ii), E\0i- E 2 O. 

(m), only if direction: since E\0t- E20^ by {v) Ei0,0t- E20^ so by {in) and 
(iv), Ei,0t- E 2 . □ 

Lemma 8. For every idempotent substitution 0, if a; F \~ A has a proof of degree 
d and height n in LKc~^ then rngu{aO); FO \~ AO has a proof of degree at most 
d and height at most n. 

Proof. That is, we can apply substitutions 0 to whole proofs. We prove the 
result by structural induction on the given proof of a; T h Z\. We examine the 
last rule: if this is (-LL), the result is trivial. Otherwise, if rngu{aO) = _L, then 
rngu{aO); F0\~ AO has a proof by (-LL), with degree 0 and height 1, so the result 
is clear. So assume that a 7 ^ _L, mgu{aO) 7 ^ _L, and examine each rule in turn: 

— {^ R): we have derived a; F h s t, Z\, using sa = ta. The latter means 
at- s ^ t. By Lemma 7 (v)^ a^Ot- s ^ t. By Lemma 7 (i), aO^ OOt- sO ^ tO. Since 
0 is idempotent, 00 is a collection of reflexivity equations, so by Lemma 7 (ii), 
aO t- sO ^ to. So mgu{aO); FO \~ AO^ sO ^ tO is provable by R) again. The 
case of {^) is similar. 

— {^ L): we have derived a; F, s ^ t \~ A from a proof of rngu{s ^ t,a); F \~ A 
of depth d and height n — 1. By induction hypothesis: {t) there is a proof of 
rngu{rngu{s ^ t^a)0)] FO \~ AO of depth d at most and height n — 1 at most. 

We claim that: (*) rnguiaO^ sO ^ tO) is an instance of rngu{rngu{s ^ t^a)0). 
Indeed, a^s^t^Ot- rngu{s ^ t^a) since the mgu of the left-hand side is clearly 
an instance of the mgu of the right-hand side. By Lemma 7 since 0 is 
idempotent, aO^sO ^ tO t- rngu{s ^ t^a)0. This means that rnguiaO^sO ^ tO) 
unifies rngu{s ^ t^a)0. This shows (*). 

In particular, rngufaO^ sO ^ tO) is equivalent w.r.t. the = relation to the 
mgu of rngu{rngu{s ^ t,a)0) and some system of equations E: just take E =df 
rngufaO^ sO ^ tO) itself. It follows from (>i<). Lemma 6 and Proposition 7 that we 
can build a proof of rngufaO^ sO ^ tO)] FO \~ AO of depth d at most and height 
n — 1 at most. By rule {^ L), we infer a proof of mgu{aO); FO^ sO ^ tO \~ AO of 
depth d at most and height n at most, as desired. 

— The cases of all other rules are straightforward. □ 

Lemma 9. Given any LKc~ proof of the form: 



; 7Ti ; 7T2 

a;FhFo,A a;F,Fo^A 

(Cut) 

a;FCA 

where d{Eo) = d, d{TV\) < d and d{TV 2 ) < d^ then we can build effectively an 
LKc~ proof TV of a; F \- A with d{7v) < d. 

Proof. By induction on h{7Vi) -h h{7V2). If Eq is not principal either in the last 
rule Ri of tti or in the last rule R 2 of 7T2, then this is by induction. So deal with 
the cases where Eq is principal in Ri and in R 2 . We have the following cases: 
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— then Fq is a non-equality atom, hence R2 must be one of: 

. i?2 = («): 



a 7^ _L, Aa = Foa a 7^ _L, Foa = Ba 

a;r,A\-Fo,B,A a; F, A, Fq \- B, A — ^ 4 I- R /\ 

(Cut) a;F,AhB,A 

a;F,A\-B,A 



• R2 = (^T): then Fq is of the form P(si, . . . , Sn); letting / G with 

a 7^ _L, Sfa = if a] we transform: 



• ^2 



Aa = P(si, . . . , Sn)cr cr; F,A,P{si,. . . , Sn),P(tl, . . . ,tn), tjn 

{-) 



a;F,P{ti,...Rn),A\- 



cr;F,A,P{si,...,Sn), 
P{tl, . . - An) b Z\ 



a;F,A,P{ti, . . . pn) A 



{Cut) 



^ A 

-(^T) 



as follows. First, Aa = F{si , . . . , Sn)(J^ so A is of the form F(ui , . . . , 
with Uia = Sia for every i, so Uia = tia for every i £ f and we produce: 



7 T 2 



a; r, . . . An),Ujn ^ tjn h A, . 



(^) a; F,A,A,P{ti, . . . ,tn), 






■w 



a; r, . . . pn),U-jn fjn I- zl 

a; r, . . . ,tn) b Z\ 



(^T) 



where 7T2 is obtained from by Lemma 5 , and (*) is by induction. 

— Pi = {^ P)^ and Fq is an equality s '^t^ then since Fq is principal in P2 as 
well, P2 must be {^ F), and we transform: 



^2 



a 7^ J_, sa = ta 
a; F \- s ^ t^ A 



i^R) 



mgu{s ^ t, a); F b 
a; F, s t b Z\ 



Zi 

(« L) 



a;r h zi 



{Cut) 



into the proof of a; F b A obtained from by Proposition 7 , noticing that, 
since sa = ta, rngu{s ^ t^a) = rnguia) = a. 

- The case R\ = (d F), R2 = (D F) is standard [6]. 

— Pi = (VF), P2 = (VF); let t of type r, and yr not free in a,F,A. We 
transform: 



• 7Ti • 7T2 

a; F b FJx := ^r] a; F, Vxr • F', FJx := tl b zl 

VJ^) (VL) 

a-,rhVxr-F,A a-,r,Vxr-F^A 

{Cut) 



a;F\- A 
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into: 



■ 7ri [y := t] 
a\F \- F[x := t], A 



\ (V_R) I A 

a; F h Vxr ' F, A a; F, Vxt • F, F\x := t]\- A 

^ L- u\ 

a;F,F[x := t] \~ A 

(Cut) 

a;F\-A 



which we now explain and justify. We may assume without loss of generality 
that [y := t] is an idempotent substitution. By Lemma 8 there is a proof of 
rnguia)] F h F[x := t], Z\, hence also of a; F h F[x := t], Z\ by Proposition 7: 
this is the proof named := t] above. This proof has degree < d and 
height at most n — 1. On the other hand, step (*) is obtained by induction 
hypothesis. Note that the remaining instance of (Cut) has degree d(F[x := 
t]) = d{F) < d. 



Finally, it is clear that the processes described above are all effective. □ 



By easy inductions on degrees, then on the structure of proofs, it follows: 

Theorem 3 (Cut Elimination). Every proof of a; F \~ A in LKc~ can he 

effectively transformed into one of the same sequent that does not use (Cut). 



5 Related Works 

It appears that reducing equality to syntactic equality as we did is not a new 
idea. Girard ([5], Section 3.1) mentioned a similar trick in the framework of 
linear logic and proposed the following rules: 

rngu{t ^ u) = 1. \~ Fa (a = rnguft ^ u)) 

This is very close to our rules {Refl)^ F)/(_LF) and F), with some imme- 
diate instantiation going on. Again, this forces an encoding of non-constructor 
functions as predicates, as we did. Our import is then, apart from a rigorous 
account of the idea above, the notion of functionalities of predicates, and the 
associated rule. 

Encoding functions as predicates is a very old idea, and the Principia [16] is 
already based on a formalization of logic without function symbols. Parikh [11] 
warns against it, arguing that this may increase proof length greatly: reflexivity 
proofs (of s ^ where s contains non-constructor function symbols) may take 
0(|s|) proof steps to derive. However, Girard [5] argues in favor of it on esthetic 
grounds, while Baumgartner [2] shows that a similar technique, based on trans- 
lating clauses with equality to Horn clauses without equality, gives good results 
in practice, while implementations remain simple enough. 
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6 Conclusion 

We have presented a sound and complete sequent system for a natural first-order 
logic with free constructors and equality. This system can then be seen as an 
prelude to the definition of a tableau calculus, designed to automate the search 
for proofs involving equality, free constructors (and even structural induction, 
although we have not shown it here): LKc~ is not only sound and complete, but 
cuts can be eliminated, allowing for practical proof search, at least in principle. 
We shall deal with the problem of proof search in LKc~ in another paper. 
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Abstract. linTAP is a tableau prover for the multiplicative and expo- 
nential fragment MlCC of Girards linear logic. It proves the validity of a 
given formula by constructing an analytic tableau and ensures the linear 
validity using prefix unification. We present the tableau calculus used 
by linTAP, an algorithm for prefix unification in linear logic, the linTAP 
implementation, and some experimental results obtained with linTAP. 



1 Introduction 

Linear logic [12] can be regarded as a refinement of classical as well as of intuition- 
istic logic. It subsumes these logics because both of them can be embedded into 
linear logic. Mainly, linear logic has become known as a very expressive logic 
of action and change. It has found applications in logic programming [14,20], 
planing [19], modeling concurrent computation [11], and other areas. Its expres- 
siveness, however results in a high complexity. Validity is undecidable for propo- 
sitional linear logic. The multiplicative fragment is already A/’P-complete [16]. 
The complexity of the multiplicative exponential fragment {AdECC) is still un- 
known. Consequently, proof search in linear logic is difficult to automate. 

Various calculi have been developed for linear logic. Beginning with the se- 
quent calculus and proof nets by Girard [12], several optimizations have been 
proposed. More recently, the connection method has been extended to fragments 
of linear logic [8,9,15,17]. In this article, we propose a tableau calculus for hAELL 
and for MP.LL which is the theoretical basis for our theorem prover linTAP. 

linTAP is implemented in a very compact way but uses sophisticated tech- 
niques to reduce the search space and thus follows the idea of lean theorem 
proving. It was inspired by the classical tableau prover leanTJP [2,3] and by 
the intuitionistic tableau prover ileanTAP [21]. Like in ileanTAP, string unifica- 
tion is used to deal with the non-permutabilities specific to linear logic. This 
approach has been invented by Wallen in the context of matrix characteriza- 
tions for non-classical logics [25]. The prefixes used by linTAP are motivated by a 
matrix characterization for AiECC [17]. In our implementation of linTAP we use 
a leanTJP like technique for path checking and then try to unify the so-called 
prefixes of atoms which are closing the branches of the tableau proof like in 
ileanTAP. Some additional checks are required because of the resource sensitivity 
of linear logic. Some of these checks are tested already during proof construction. 



Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 217-231, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 
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After some preliminaries we propose a tableau calculus for M.ELL in Sec- 
tion 3. The application of a calculus rule to a formula de-constructs the formula 
and constructs a prefix for the resulting sub-formulas. An algorithm for the uni- 
fication of such prefixes is presented in Section 4. A tableau calculus for MP.LL^ 
where ? and ! can only occur, respectively, positively and negatively, some details 
about our theorem prover linTAP, and some experimental results are discussed 
in Section 5. We conclude with some remarks on related and on future work. 

2 Preliminaries 

Linear logic [12] treats formulas like resources that disappear after their use 
unless they are explicitly marked as reusable. It can be seen as the outcome 
of removing the rules for contraction and weakening from the classical sequent 
calculus and re-introducing them in a controlled manner. Linear negation ^ is 
involutive like classical negation. The two traditions for writing the sequent rule 
for conjunction result in two different conjunctions 0 and h and two different 
disjunctions ^ and 0 . The constant true splits up into 1 and T and false 
into _L and 0. The unary connectives ? and ! mark formulas for a controlled 
application of weakening and contraction. Quantifiers V and 3 are added as usual. 

Linear logic can be divided into the multiplicative, additive, and exponential 
fragment. While in the multiplicative fragment resources are used exactly once, 
resource sharing is enforced in the additive fragment. Exponentials mark for- 
mulas as reusable. All fragments exist on their own right and can be combined 
freely. The full power of linear logic comes from combining all of them. 

In this article we focus on multiplicative exponential linear logic {AdECC 
and the combination of the multiplicative and exponential fragments, 

leaving the additive fragment and the quantifiers out of consideration. 0 , ^ , 
1, _L, !, and ? are the connectives of M.ECC. In A4?TT, ? and ! only occur, 
respectively, with positive and negative polarity. Linear negation ^ expresses 
the difference between resources that are to be used up and resources to be 
produced. In order to use up a resource F must be produced. Having a 
resource L\ 0 L 2 means having Fi as well as F 2 . Fi ^ F 2 allows the construction 
of F 2 from Fi. Fi'^ F 2 is equivalent to F±^^F 2 and to F 2 ^^F±. Having a 
resource 1 has no impact while nothing can be constructed when _L is used up. 
A resource \F acts like a machine which produces any number of copies of F. 
During the construction of \F only such machines can be used. ? is the dual to !. 

We adopt Smullyan’s uniform notation to AiELL. A signed formula (f = F^ 
denotes an occurrence of F in A 01 F. Depending on the label F and its polarity 
k e { + , — a signed formula will receive a type a, /?, i/, tt, o, r, c<j, or a according 
to the tables below. The functions succi and succ 2 return the major signed 
subformulas of a signed formula. Note that during the decomposition of a formula 
the polarity switches only for ^ and ^ . We use type symbols as meta- variables 
for signed formulas of the respective type, e.g. o; stands for a signed formula of 
type q; and a stands for atomic formulas, i.e. signed predicates. 

The validity of a linear logic formula can be proven syntactically by using a 
sequent calculus. For multi-sets F and A of formulas F — ^ A is called a sequent. 
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a 






B 




1 + 


B 


1“ 


AJ 



a 


{Fi®F2) 


{Fi^F2y 


{Fi^F2y 


succi (a) 


K 




Fr 


SUCC 2 ( 0 ) 


F 2 


F2^ 


F2^ 


p 


{Fi(X)F2) + 


(Fi^ F2)~ 


{Fi^F2)~ 


succi{(3) 




Fr 


F^^ 


SUCC2{P) 


F^ 


F 2 


F 2 



0 


{Fy- 


{Fy+ 


SUCCi ( 0 ) 




F~ 


u 


{'■F)- 




succi (n) 


F~ 


F^ 


TV 


i?F)- 




SUCCi (tt) 


F~ 


F^ 



Table 1. Uniform notation for signed AdECC formulas 

It can be understood as the specification of a transformation which constructs 
A from r. The formulas in T are connected implicitly by 0 while the formulas 
in A are connected implicitly by ^ . 

A sequent calculus for M.ELL based on our uniform notation is depicted in 
Table 2. Omitting the 7r-rule yields a calculus for MP.LL. In a rule, the sequents 
above the line are the premises and the one below is the conclusion. A princi- 
pal formula is a formula that occurs in the conclusion but not in any premise. 
Formulas that occur in a premise but not in the conclusion are called active. All 
other formulas compose the context. S[ is correct and complete wrt. Girard’s 
original sequent calculus [12]. 



, ijbJb ou no 

A+,A~ 

T, succi (a) , SUCC2 (ct) 

^ r, a 

T, succi (ly) 



ly, succi (tt) 



— ^ r 



■ r, w 

Ti , succi {j3) 



— T, succi (o) 
^ T,o 

T2, SUCC2(P) 



T 



Ti,T2,P 
y 

^ T,iy 



Table 2. Sequent calculus U[ for AdECC in uniform notation 

In analytic proof search^ one starts with the sequent to be proven and reduces 
it by application of rules until the axiom-iule or the r-rule can be applied. 
There are several choice points within this process. As in classical logic, first, a 
principal formula must be chosen. Unless the principal formula has type i/, this 
choice determines which rule must be applied. Formulas of type u are generic. 
They can be duplicated using the contraction rule c and are removed by the 
weakening rule w. When the /?-rule is applied the context of the sequent must 
be split, i.e. T\ and T 2 must be a partition of the context. Several solutions 
have been proposed in order to optimize these choices [1,10,23,6,13]. Additional 
difficulties arise from the rules axiom ^ r, and tt. The rules axiom and r require 
an empty context which expresses that all formulas must be used up in a proof. 
The TT rule requires that all formulas in the context are of type u. The careful 
handling of the context reflects the resource sensitivity of linear logic. 

Example 1. Figure 1 presents a U(-proof oi ip = (((^^ _L)(8)!A)^ ?(A^)) + . We 
abbreviate occurrences of subformulas of by position markers as shown in the 
table on the right. Note that any proof of requires that the contraction rule c 
is applied before the /?-rule. 
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0-1111 , O12II 
> aim 5 O121 



Ollll , i^l 2 



> aim , 0J1112 , i^i2 
^ am , i^i2 



01121 , O1211 
> aii2i , C>i21 
aii2i , i^i2 
7 T 112 , i^i 2 



■ /3ll, i^l2, i^i2 
— ^ /3ll , i^l2 



lab{(f^) 


4 


{{A^ ±)0!A)^ ^{Ay 


ai 




/3ii 


A^ A 


am 


A 


0-1111 


A 


<^1112 


\A 


7T112 


A 


0-1121 


?(A^) 


i^l2, U2 




OI2I , 0;L21 


A 


O12II , 0^211 



Fig. 1. An example -proof. 



3 A Tableau Calculus 



The tableau calculus presented in this section is motivated by a matrix charac- 
terization for M.ECC [17]. 

Basic Definitions. We assume disjoint sets <P^ ^ ^ and of charac- 

ters. 0^, 7 /;^, 0^, and are used as meta- variables for characters from the 
respective set. Elements of and are called multiplicative and elements of 
and are called exponential. Characters in and are called variable 
and characters in 4^^ and 4^^ are called constant. The intuition is that variable 
characters can be substituted while constant characters cannot. A prefix s is a 
string over these sets, i.e. s G U U U A multiplicative string 

substitution is a mapping cjm • U^^)*. An exponential string sub- 
stitution is a mapping aE : U 4^^ U 4>^ U 4^^y . A string substitution 

is a mapping a : {4>^ U 4?^) {4?^ U 4/^ U 4>^ U 4^^)* such that the restriction 

of a to 4^^ is a multiplicative string substitution and the restriction to 4^ is an 
exponential string substitution. We extend a homomorphically to strings from 
(4^ U 4^ U 4^ U 4^y where a is the identity on constant characters.^ 

A position p is a string from V = {/, r}* U{0}. p is a sub-position of a position 
y if y is a proper prefix of p, e.g. Irl is a sub-position of Ir. A multiplicity p is 
a function which assigns natural numbers to positions, i.e. p : P ^ IN. Using 
multiplicities, we determine the number of duplicates of generic formulas in a 
tableau. We mark each occurrence of a formula in a tableau proof with a position. 
In a tableau for p, p is marked with position 0. If p is marked with p then the 
left and right sub formula of p are marked with p o I and p o r, respectively. For 
a generic formula p the jth instance of the subformula is marked with poP . 
Definition 2. Let p be a signed formula, s be a prefix, and p be a position. Then 
(f s {p) is called a prefixed formula. If p is of type a, r, cj, or i/ then [p] : s (p) is 
prefixed formula as well. We refer to the later kind as marked prefixed formulas. 
The type of a prefixed formula (f s {p) is the type of p. We use the same 
met a- variables for prefixed formulas as for signed formulas. If necessary, we will 
point out what kind of formula is denoted by a specific met a- variable. 
Definition 3. A connection is a one-element set containing a marked prefixed 
formula of type r or a two-element set containing two marked atomic prefixed 
formulas with the same label and opposite signs. A weakening map is a set of 
marked prefixed formulas of type cj and of type jy with multiplicity 0. 



^ For Mice the set 4/^ is not needed. Thus, 4^ and 4^ need not be distinguished. 
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For example, {[1]^ : (pOI {[^]^ • [^]~ • connections; 

0, {[-L]+ : (^0}^ (^^0^ [1]~ • weakening maps. 

Note, that Definition 3 imposes the same restrictions on the elements of a 
connection as the A(-rules r and axiom do for the principal formulas in order to 
close a branch. It requires the same properties for the elements of a weakening 
map as the i7i -rules cj and w do for the principal formulas in order to remove a 
formula. This resembles the relation between a proof according to the connection 
method and the set of sequent proofs represented by it [17]. It should be helpful to 
keep this in mind in order to grasp the intuition behind the following definitions. 

Complementarity Conditions and Closed Tableaux. We now define some 
complementarity conditions which are crucial for our definition of closed tableaux 
in Msec. Each condition is motivated by a property of the sequent calculus 
in Table 2 and, if possible, an intuitive explanation based on the resource 
sensitivity of linear logic is given. In the following we always assume C to be a 
set of connections, W to be a weakening map, and a to be a string substitution. 

— Resources can be used at most once and disappear after their use. In L\ this 

is reflected by the lack of a general rule for contraction and by the context 
split in the /?-rule. C is linear if each prefixed formula occurs in at most one 
connection. C and W are linear if C is linear and p is not a sub-position of p^ 
for any (f : s (p) which occurs in a connection from C and any (p^) G W. 

Intuitively, this linearity condition says that a formula cannot contribute to 
an axiom in a corresponding sequent proof if it has been weakened and that 
it cannot contribute to more than one axiom. 

— Resources cannot disappear without a reason. They must be consumed. In 

this is reflected by the lack of a general rule for weakening and by the 
requirement of an empty context in the rules axiom and r. C and W are 
relevant for a set of prefixed formulas T if each p : s {p) e T occurs at least 
in one connection or a : s' {p') G T occurs in W where p is a sub-position 
of p' . Intuitively, relevance demands for a corresponding sequent proof that 
a formula must contribute to an axiom unless it has been weakened. 

— In the context only is divided by the application of a /?-rule. Let □ be 
a set of prefixed formulas of type f3 and let j3w = {(/?: 5 (p)) G □ | there is 
no {p : s' {p')) G W such that p is a sub-position of p'}. C and W have the 
right cardinality for □ if |C| = iDwl + 1- 

— In certain rule applications can be permuted while others cannot. The 
non-permutability of rules for linear logic has been investigated e.g. in [10]. 
The existence of a suitable order of non-permutable rule applications is ex- 
pressed by the unifiability of prefixes. C and W are unified by a if 

• for each c G C the prefixes of all elements of c are identical under a and 

• for each p E W there is a c G C such that the prefix of p is an initial 
substring of the prefix of the elements of c under a. 

Definition 4. Let p he a, prefixed formula. 

1. The one-branch tree c/p is a tableau for p. 

2. If 7' is a tableau for p and 7'* results from T by the application of a tableau 
expansion rule from Table 3 then T* is a tableau for p. 
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{Fi^ F2) 


+: s (p) 


«-rules 

{F-L(g)F2)~ ■■ s {p) 




K 


: s 0 F (p ol) 


K : 


0 

0 


FF : s 0 s^ (p 0 




: s 0 (p 0 r) 


F2 ■■ 


s 0 (p or) 


F^ : s 0 s^ (p 0 






j/-rules (for p{Fi) > 0 ) 




: s 


(p) 


(?^i)+ : 


s (p) 


[Fir 


f ih! 

: SOSO (pp^i 


(pol) 


{Fir : 


SOS 0 (f>^rA { p 0 0 











w-rules (for = 0 ) 



{\Fi) : s (p) (?j^i)+ : g (p) 



[\Fi] : s 0 (p ^ 0 


[?i"i]^ : s 0 s^ (pol) 


w-rules 

1 " : s (p) 


: s (p) 


[ 1 ]“ : s 0 s^ (po /) 


[A]+ : s 0 s^ {po /) 


a-rules 

A~ : s (p) 


A~^ : s {p) 


0 

0 
0 

1 


[A]^ : s 0 s^ 0 {p 0 1 ) 


r-rules 




±" : s (p) 


1 ^ : s (p) 


[±]“ : sos' 0 (/>" {p 0 1 ) 


[ 1 ]^ : s 0 s^ 0 {p 0 1 ) 


s' = V-f 


if s = s 0 ^ with F ^ 


F = £ 


if s = s o£ with F E U 


/ 3 -rules 




{Fi'^ F2)~ : s (jp) 


{Fi(X)p 2 p : S (p) 


F£ \ s 0 F' {jp ol) 1 F£ \ s 0 F' {jpo r) F^ : s 


0 s^^ {pol) 1 FF : s 0 s^^ (p 0 


(i^i^i^2)“ : s (p) 




F^ \ s 0 F' {jp 0 1 ) 1 FF s 0 F' {jpo r) 




TT-rules 




(!-Fi)+ : s {p) (?fi)- : s {p) 


0 

0 

''t:o 

0 


i^\ : s 0 s'' 0 {p 0 1 ) 


s" = <kp 


if s = s 0 1/; with F G U F 


s" = e 


if s = s 0 F with F ^ U F^ 


0-rules 




(Pi^)+ : s (p) 


{Fip- : s (p) 


: s {pol) 


: s {pjol) 



Table 3. A prefixed-based tableau calculus for A4S££ 
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Expansion rules are applied as usual [7]. The application of a rule de-constructs 
a formula, possibly enlarges the prefix, and constructs a position. A tableau is 
strict if each occurrence of a formula is reduced at most once on a branch. In 
a strict tableau, prefixed formulas can be uniquely identified by their positions. 
In the sequel, we will consider only strict tableaux and will extensively use the 
isomorphism between formulas in a given tableaux and their positions. 

Definition 5. A branch of a tableau is closed by a connection c if all elements 
of c occur on that branch. 

Let 7’ be a tableau for c/p, Tt be the set of prefixed formulas of type a, r, cj, and 
jy (with multiplicity 0) which occur in and be the set of prefixed formulas 
of type f3 in T. Further, let C be a set of connections where the elements of 
connections are from Tt- Let W be a weakening map with elements from Tt- 
Let a be a string substitution. Then C and W fulfill linearity in T C and W 
are linear. C and W fulfill relevance in T C and W are relevant for Tt- C and 
W fulfill cardinality in T if C and W have the right cardinality for C, W, 
and a fulfill unifiability for T if C and W are unified by a. 

Definition 6. Let 7’ be a tableau for a prefixed formula (f. Further, let C be a 
set of connections, W be a weakening map, and a be a string substitution. T is 
closed by C, W, and a iff the following conditions hold: 

— Each branch of T is closed by a connection from C. 

— C, W, and a fulfill linearity, relevance, cardinality, and unifiability for T. 



Example 7. A tableau T for {{A'^ _L)(8)!A)^ is depicted in Figure 2. The 

set of connections Or///}, {0/r//, Or////}} closes the branches of the 

tableau. Let W = {0//r/} be a weakening map and a be a substitution with 

= ^01 ^I’ilrl^aux2, and 

= <t)fux2i^¥rUi<t^¥riii- Then T is closed by C, >V, and cr. 

The following theorems state that the tableau calculus in Table 3 is correct and 
complete. In order to follow the proof sketches prior knowledge of [17] is required. 

Theorem 8 (Correctness). If there is a closed tableau for a prefixed formula 
(f = (0) for some multiplicity (i then F is valid. 

Proof Sketch: Let 7’ be a tableau for (f with multiplicity fa which is closed by C, 
W, and a. We construct a matrix proof for the matrix M of (p. The correctness 
of the matrix characterization in [17] then implies that p is valid. 

For every prefixed formula p^ in T there is a corresponding node n in M 
with the same label, polarity, type, and ancestors which are equivalent under 
this relation. Let rn be an injective mapping which assigns to a formula in 7’ a 
corresponding node in M . All non-special nodes in M are in the image of m. We 
define the application of m to sets as the application of m to the elements. For 
any path of leaves F through M there is branch B in T with marked formulas 
Tb such that ra{TB) C P holds. Let Cm = m{C) and Wm = m(W). Since all 
branches of T are closed by C, Cm is spanning for M. Cm and Wm are linear. 




224 Heiko Mantel and Jens Otten 



1: ((A^ ±)®!A)^ ?(A^)+ : (0) 

I a on (1) 

2 : (A^S ±)®!A+ : (0/) 

3: ?(A^)+ : (Or) 

I u on (3) 

4: (^^)+ : (Orl) 

5: (^^)+ : (Orll) 

(3 on (2) ^ — "" — 



6 : {A^ 


±)+ : 


(Oil) 






a on (6) 


8 : A+ 

9 : ±+ 


i’oAlAu (oiii) 
(OHO 






o on (4) 


10 : A~ 


Fo ^0 


w (Or//) 


U) 


on (9) 


a on (8), (10) 


11: [±]+ 
12 : [A] + 
13: [A]- 


(Ollrl) 

(oiiii) 

AArlArllArU (MU) 



7 : (!A)+ : ,^"0" (Olr) 

I 7T on (7) 

14: A+ : (OW) 

I o on (5) 

15 : A- : ¥^"0® „ (0r«0 
I a on (14), (15) 

16: [A]+ : '4>o (OMl) 

17: [A]- : 4>lui>^rUl4>^rUl (Mill) 



Fig. 2. An example tableau 



relevant, and have the cardinality property for M. Marked formulas of type a, r, 
cj, and u have the same prefix (under renaming) as the correspondent nodes in 
M. Therefore, a is a unifier for Cm and Wm in M. Thus, M is complementary 
for Cm, Wm, and a. 

Theorem 9 (Completeness). If a formula F is valid then there exists a elosed 
tableau for the prefixed formula ,^ = F+ : (0). 

Proof Sketeh: From any matrix proof of the matrix M of c/p a closed tableau 
for ip can be constructed. The completeness of the matrix characterization then 
implies that a tableau for any valid formula exists. 

The crucial step is that if there is a complementary matrix for (p with 
multiplicity pf then there is a multiplicity //, a set of connections C, a weakening 
map W without elements of type 0^, and a string substitution a such that the 
matrix M for p with multiplicity p is complementary for C, W, and a. Using C, 
W, and a, a closed tableau for p can be constructed. 



4 Prefix Unification 

The computation of a string substitution a is one of the key components neces- 
sary to perform proof search in the prefix-based tableau calculus introduced in 
the previous section. A single string substitution a has to unify the prefixes of 
each connection in the set C. Furthermore the weakening map W has to fulfill the 
unifiability condition under this substitution a. This condition can be reduced 
to unification since a prefix s is an initial substring of a prefix t iff s o F and t 
can be unified where F is a new variable. 

String unification in general is rather complicated but fortunately unifying 
prefixes is much easier since there are two restrietions on prefixes: prefixes are 
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strings without duplicates and in any two prefixes (corresponding to atoms of the 
same formula) equal characters can only occur within a common substring at the 
beginning of the prefixes. In [22] we introduced a prefix unification algorithm, 
so-called T- String Unification^ to unify prefixes in matrix based proof methods 
for non-classical logics, i.e. intuitionistic logic and the modal logics D, K, D4, 
K4, S5, and T. Only minor modifications are necessary to adapt this algorithm 
to deal with the prefixes arising in our tableau calculus for M8CC: we have to 
distinguish between characters (i.e. positions) of type 

Similar to the ideas of Martelli and Montanari [18] we consider the process 
of unification as a sequence of transformation steps. We start with the given 
set of (prefix-) equations T = {pi=ti,... ,Pn=fy} and an empty substitution 
a=0. Each transformation step replaces the tuple (E, a) by a modified tuple 
{rfa^) where is the result of replacing one equation in U by {Pi=t^i} 

and applying the substitution fy to the resulting equation set. The algorithm 
is described by transformation rules “ {si=U}^a ” which can be 

applied nondeterministically to the selected equation {s^=E}eE. The set U is 
solvable, iff there are some transformation steps transforming the tuple (E, 0) into 
the tuple (0,d). In this case the substitution a represents an idempotent most 
general unifier for E. The set of all resulting most general unifiers is minimal. 
For technical reasons we divide the right part E of oach equation into two parts 
where the left part contains the substring which is not yet assigned to a 
variable. Therefore we start with the set of prefixes E = {si=s\ti, . . . ^Sn=^\tn}- 

Definition 10. Let be a set of variables, be a set of 

constants, and be disjoint sets of auxiliary variables^ V^=V^UV^ (with 
VnV^=0), V^=E^UV^, and V^=E^UV^. The set of transformation rules for 
Msec is defined in Table 4. 




s,t,z e (V^JCuV')* denote (arbitrary) strings, s”*” ,2”*” e (VUCUVO"*" denote non-empty strings. 

X,V,Vi,C,Ci and C2 denote single characters with XeVuCuV^ V,VieVuV^ (with V^Vi), and 
C, Cl, C2 eC. V' and eV^ are new variables which do not occur in the substitution a computed 
so far. To apply rule RIO or RIO^ the following must hold: V^X, and s=e or t^e or X eC. 

Table 4. Transformation rules for MSCC 
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These rules are identical with the transformation rules presented in [22]. 
We only added rules R8^ and RIO^ (which are applied instead of rules R8 and 
RIO in certain cases) and some additional restrictions for the rules R7 and R9 
(characters X cannot be assigned to variables V eV^). We use the 

notation {x\t \ a(x)=t and x^t} to specify a substitution a and omit the string 
concatenation operator “o”. See [22] for a graphical motivation of these rules, a 
more detailed description of the algorithm, and some complexity results. 



Example 11. Consider the formula _L)(g)!M)^ from Example 7 and 

the unification of the two prefixes 

keep the notation simpie we substitute each character (t>p and by b|p| and C^p ^ , 
respectively, i.e. we start the unification process with the tuple {C^VpcfvP= 
e:\C^V^C^V^},{} and apply the transformation rules according to Table 4: 



{Q 

R8 



'^V2^CfVf 



s\C^VfCi^V,^},{} 

RIO 



R3 









e\Vfcrvi^},{} 



R9 

RIO 

R5 

R1 






[vfci^vi* = vfcf\vi*}, {} 



{^4 

[Vt = V'\Ci^Vi*}, {Vf\V2^CfV'} {Vi^ = V'Ci^\Vi^},{Vf\V2^CiV'} 

{vr 

{e = e\e},{Vf\V2^CfV', Vi^XV’C^Vi^} 

{},{vi\vfcfv', vi*\v'c^vi^} 



V'C^ y-M 1^1^ I yE\yM(jE ^//| 



The only successful transformation sequence, leading to a tuple {},d, yields 
the substitution a = { i 4 ^\iy^C'^b'', VP\V'C^ Applying rule RIO in- 

stead of rule R8 (which is the only nondeterministical choice) does not lead to 
any successful transformation sequence. Thus the only (most general) unifier is 

where V is a new introduced variable. 



For the fragment MICE of linear logic (on which we will focus in the following 
section of this paper) we do not need to deal with characters of type (j)^ or 
Furthermore all prefixes to be unified have the form Ci F 1 C 2 F2---CnFn (where 
e V and Q eC), allowing us to drop rules R2, R4, R6, and R7 (see also [15]). 

Definition 12. Let be a set of variables, C=E^ be a set of constants, 

and be a set of auxiliary variables (with VnV^=0). The set of transformation 
rules for M?CC is defined in Table 5. 



Rl. 


{e = a 




R3. 


{Xs = e\Xt}, a 


{s = a 


R5. 


[Vs = z\s}^ a 


{s = ^1^}, {F\2;}U(7 


R8. 


[V = s\ Fit}, a 


{V^t=V\s+}, a 


R9. 


{V = z~^\Vit}^ a - 


{Rit = R'|s+}, {V\z+V'}Ua 


RIO. 


1 

b 

II 


{Vs = zX\t},a (Vi=X, and s=£ or or X tC) 



s,t,z e (V^JCuV')* denote (arbitrary) strings, s'*" ,2"*" e (VUCUV'’)"*" denote non-empty strings. X, V, 
and Vi denote single characters with X e VUCUV^ and V, V± e VUV^ (with V^Vi). V' e is a new 
variable which does not occur in the substitution a computed so far. 



Table 5. Transformation rules for MlCC 





linTAP : A Tableau Prover for Linear Logic 



227 



5 A Tableau Prover 

In this section we present an implementation of the tableau calculus for the 
fragment MP.LL. We first present the calculus and repeat some definitions. 

A Tableau Calculus for A/ilCC, The tableau calculus for MP.LL is similar to 
the calculus for M.ELL presented in Table 3. Since ? and ! can only occur, respec- 
tively, with positive and negative polarity we do not need the 7r-rule anymore. 
Because of that there are no positions of type (j)^ or anymore. Furthermore 
the i/-rules use a stepwise contraction and the r- and cj-rules are modified. Let 
Af be the set of all predicate symbols in the formula F. A tableaux for a for- 
mula F is defined as usual (see Definition 4) but with the tableau expansion 
rules from Table 6 where Ap tA! is a predicate symbol and Xp e T is a predicate 
variable. Let T be a tableau, be a string substitution, and 

a;\;:X^{AF ^ a!) be a predicate substitution. 

Definition 13. A branch ofT is closed iff it contains a complementary connec- 
tion, i.e {[A]~ : s (p), [5]+ : t (g)} where a{s)=a{t) and ax{A)=ax{B). 

Let T he a tableau, C be a set of connections, Dt and be the set of all 
positions of formulas of type o; and /?, respectively, in T. 

Definition 14. A tableau T is closed iff (1.) every branch of T is closed by a 
ceC under a and (2.) if {a,6}eC and {a,c}eC then b=c (linearity)^ (3.) 
2\C\ = \Bt\ \^t\ I and (4.) 2|C| = 2|D^| -h 2 (cardinality). 

Theorem 15 (Correctness Completeness). A formula F is valid in the 
fragment MALL iff there is a closed tableau for the prefixed formula F~^ : V’o (0). 

Proof (Sketch). We show that our calculi for MILL and MELL (without using 
rule 7 t) are equivalent for the fragment of M^LL: both i/-rules are equivalent 
(consider an appropriate multiplicity //); rules r and cj are correct and complete, 
i.e 1+ =T = (A^A)+ for a new predicate symbol A and T+= 1 = (A^A) 

for an arbitrary predicate symbol A (so that one-element connections are omited 
and the weakening map is empty), since both 1+/T~ and (A^A)+ lead to leafs 
in the sequent proof and the rules for T+/l^ can always applied at the leafs in 
the sequent proof; linearity and cardinality conditions are identical (with empty 
weakening map); if C is linear and 2|C| = |Ut^ H U^I+1 then every atomic formula 
occurs in C (relevance condition), since the number of leaves in the (binary) 
formula tree is equal to the number of inner nodes plus one. 

The linTAP Implementation. The previous calculus has been implemented in 
Prolog (see Table 7). For the syntax of formulas we use the logical connectives 
(negation ^), (conjunction 0 ), “0” (disjunction ^ ), (implication 
^), the exponentials and “!”, the constants “1” (for 1) and “0” (for T), and 
Prolog atoms for atomic formulas. For example to express the formula ((A^ T 
)(8)!A)^ ?(A^) we use the Prolog term ((a@0)*!a)@ ?('"a). 

We use 0 and 1 to present the polarities + and — , respectively. Positions are 
constructed from right to left and prefixes are represented by Prolog lists. Like 
in ileanTAP we use two predicates for path checking: fml and prove. 




228 Heiko Mantel and Jens Otten 



a-rules 



{Fi'^ Fs)+ 


: s 


(p) 


{Fi 0 F 3 ) 


: s (p) 


F^ 


: s 0 


(pol) 


Fr 


: s 0 (p 0 




: s 0 s' 


(p 0 r) 


^3 


: s 0 (p 0 r) 


(Fi^F3)~^ 

Fr 

^3 


: s 

: s 0 s' 
: s 0 s' 


(p) 

(pol) 
(p 0 r) 


^ CP 

Jl 


if s=s 0 
else 



/J-rules 



{Fi^ F2)- : s jp) {Fi(g>F2)+ : s{p) 

: s o s' {p ol) I F^ : s o (p o r) F^ : s o ° 0 | ^"2”^ : s o (p o r) 

(Fi^F 2)~ : s (p) I ^ if s=so'ijj^ 

F^ \ s o s' {p ol) F2 : s o s' {p o r) I ^ ^ 



z^-rules 





s (p) 




s (p) 


(?P'i)+: s (p) 


(?Pi)+: 


s (p) 




s (p) 


Fr : 


C 0 0 r 

0 0 
0 0 


: s (p) 


(?Pi)+: 


SOS {p ol) 
s 0 s' (p or) 



/_ r i/jp , if s—socj)^ 

\ £ , else 



(fi^)+ : s (p) 


orules 


(.F^p- : 


s (p) 


Fr : s (pol) 




Fr : 


S (pol) 


±" : s (p) 


r-rules 


1 + 


: s (p) 


{Ap^Ap)~^ : s {pol) 




(Ap—oAp)~^ 


: s (p ol) 


1~ : s (p) 


ct;-rules 


±+ 


: s (p) 


(Ap^Ap)~ : s (pol) 






: s (p ol) 




a(tom)-ru\es 






A~^ : s (p) A~ : 


s (p) 


o'— f , 


if s=s 0 (f)e 


[A] + : sos'o(j}p (p) [A]~: 


SOs'o(j}p (p) 


1- . 


else 



Table 6. A prefixed-based tableau calculus for AdlCC 

fml(F,Pol,P,Fl,F2,F3,PrN,Ctr) is used to specify the rules of our prefix- 
based tableau calculus. It succeeds if there is a rule to expand the formula F. Pol 
is the polarity, P, FI, F2, F3, and PrN are the position p, formulas i^i, i^ 2 , ^"' 3 , and 
the new prefix character respectively. Ctr is bound to c if a contraction (rule) 
is applied. According to our calculus we need 18 clauses to specify all rules. 
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X/X Specification of Tableau Rules 

fml(A, Pol, P,[A,Pol],[], [] , [P] , 0) : -var (A) . 

fml((A@B), 0, P, (A,0), [], (B,0) , [P] ,0) . fml((A@B), 1, 

fml((A*B), 1, P, (A,l), [], (B,l) , [P] ,0) . fml((A*B), 0, 

fml((A@>B),0, P, (A,l), □, (B,0) , [P] ,0) . fml( (A@>B) , 1 , 

fml((!A), 1, P, (A,l), [],((!A),l),[P],c). fml((!_), 1, 

fml((?A), 0, P, (A,0), [] , ((?A) ,0), [P] ,c) . fml((?_), 0, 

fml(0, 1, P, (P,0), □, (P,l) , [P] ,0) . fml(l, 1, 

fml(l, 0, P, (P,0), □, (P,l) , [P] ,0) . fml(0, 0, 

fml((~A), 0, (A,l), [], [], [],0). fml((~A), 1, 

fml(A, Pol, P, [A,Pol] , □ , [],[P],0). 

XXL Path Checking 

prove( [(F,Pol) ,Pre,P] ,UnExp,Lits,Exp,ExpLim,PU,At ,Bt,C,Cl) 

fml(F,Pol,P,Fl,F2,F3,PrN,Ctr) , append (_, [Lp] ,Pre) , % look up tableau rule 

( Ctr=c -> Exp<ExpLim, Expl is (Exp+1) ; Expl=Exp, ! ), % control contraction 

( (F2\= [] , var(Lp) ;F2= [] , \+var (Lp) ) -> Prel=Pre ; append (Pre ,PrN,Prel) ),% Prel is new prefix 
( F3=[] -> UnExpl=UnExp, At=At3; 

UnExpl=[ [F3,Prel,r(P)] lUnExp] , At=[P|At3] ), % update UnExpl 

prove( [FI, Prel, 1(P)] ,UnExpl,Lits, Expl, ExpLim,PUl,Atl, Btl,C,C2) , % continue with FI 

( F2=[] -> PU=PU1, At3=Atl, Bt=Btl, C1=C2 ; 
prove( [F2, Prel, r(P)] , UnExpl, Lits, Expl, ExpLim,PU2,At2, Bt2,C2, Cl) , % continue with F2 

append (PUl ,PU2 ,PU) , union(Atl , At2, At3) , union ( [P | Btl] ,Bt2 ,Bt) ). 

prove( [[Lit,Pl] ,Pr,P] ,_, [[[L,P11] ,Prl,Pl] iLits] ,_,_,PU,At ,Bt,C,Cl) % close branch 
( Lit=L, PI is 1-Pll, Lit=L, At=[] , Bt=[], % connection found ? 

(member ( [P,S] ,C) -> (S=P1 -> C1=C, PU=[]) ; % relevance condition 

(member([Pl,S] ,C) -> (S=P -> C1=C, PU=[]) ; 

PU=[[Pr,_] = [Prl,_]] , C1=[[P,P1] , [P1,P] |C])) ) ; % add prefixes and connection 

prove( [[Lit,Pl] ,Pr,P] , [] ,Lits,_,_,PU,At ,Bt ,C,C1) . % otherwise check next literal 

prove(Lit , [Next lUnExp] ,Lits,Exp,ExpLim,PU,At ,Bt ,C,C1) % add Lit to current branch 

prove(Next ,UnExp, [Lit I Lits] ,Exp,ExpLim,PU, At ,Bt ,C,C1) . % expand Next formula 

XXL T-String Unification 



t_string_unify ( [] ) . 

t_string_unify( [S=T |G] ) :- f latten(S, SI , [] ) , flatten(T,Tl, [] ) , % flatten prefix lists 

tunif y (SI , [] ,T1) , t_string_unify(G) . % solve first equation 



tunif y ([],[],[]). 




transfer, rule R1 


tunify([Xl|S],[],[X2|T]) 


:- X1==X2, ! , tunify(S, [] ,T) . 


-”- R3 


tunify( [VI S] ,Z, [] ) 


:- V=Z, tunif y(S, [],[]) . 


-”- R5 


tunif y([V,X IS] , [] , [VI I T] ) 


:- var (VI), tunif y( [VI I T] , [V] , [X | S] ) . 


-”- R8 


tunif y([V,X IS] , [Z1|Z] , [VI I T] ) 


:- var (VI) , append ( [Z1 | Z] , [Vnew] ,V) , / 

tunify([Vl |T] , [Vnew] , [X|S]) . 


( -”- R9 


tunify([V|S] ,Z, [X | T] ) 


(S=[]; T\=[]; \+var(X)) -> “/ 

append(Z, [X] ,Z1), tunify([V|S] ,Z1,T) . 


( -”- RIO 



flatten(A, [A |B] ,B) (var(A) ; A\=[], A\=[_|_]), !. % flatten list 

flatten( [] ,A, A) . 

flatten( [A |B] ,C,D) flatten(A,C,E) , flatten(B ,E,D) . 

Table 7. The source code of linTAP 

prove ( [(F,Pol) ,Pre,P] ,UnExp,Lits,Exp,ExpLim,PU,At,Bt ,C,C1) per- 
forms the actual proof search. (F,Pol) is the formula currently expanded, Pre 
its prefix s, P its position p. UnExp and Lits represent lists of formulas not yet 
expanded and the atomic formulas on the current branch of the tableau. Exp is 
the number of contractions on the current branch, ExpLim the maximum num- 
ber of contractions allowed on a branch, PU a list of prefix equations. At and Bt 
represent the sets Dt and and C represents the current set of connections C 
(more precisely each connection is stored twice, i.e. ^=[j{p^qjeci [q/p] ])• 



_, (A,l), (B,1),[],[_],0). 
_, (A,0), (B,0),[],[_],0). 
_, (A,0), (B,1),[],[_],0). 

(1,1), □, □, [],o). 

_, ( 0 , 0 ), [], [], [], 0 ). 
_, (X,0), (X,l), [],[_], 0). 
_, (X,0), (X,l), [],[_], 0). 
_, (A,0), □, [], [],0). 
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After a tableau has been found the prefix equations in PU have to be solved. 
This is done by t_string_unify (PU) and tunify(S, [] ,T) where PU is a system 
of string equations to be unified, S and T are two strings to be unified (see [22]). 

The following goal succeeds if the formula F is valid in Ml CC using not more 
than ExpLim contractions on each branch: 

prove ( [(F,0) , [0] ,0] , [] , [] , 0, ExpLim, PU, At ,Bt, [] ,C) , 

length (Bt ,Nbt) , length(C,Nc) , Nc=: =(2*Nbt)+2 , % cardinality 

length (At , Nat) , Nc= : =Nat+Nbt+l , % linearity 

t_string_unify (PU) . % unifiability of prefixes 

Some experimental results. There are only a few provers and even fewer 
examples available for MlCC. Table 8 contains some problems for MlCC. The 
timings for these (valid) formulas are given in Table 9.^ We compare linTAP^ (with 
iterative deepening) with the sequent calculus provers llprover (implemented in 
Prolog; see [24]) and linseq, and with the resolution prover linres (both last- 
mentioned provers are implemented in Scheme and compiled to C; see [23]). 



t\ 


((A^ _L)0A)^?(A^) 


F 2 


\{A ® C^B)(X)\{B (X)D(X) D^C ® D) ® A ® C ® D ® D^C ® D 


Fa 


{Ct ® {C^ ® (. . . {Cti ® Ci)..)) 


Fi 


(C'f ® {C 2 ® (. . . ((7n ® ^ ((<^12 ® (-Di2^ Di2))'^ 

((C'li ® ...^{{C'2 0 {D2^ B^))^ {C\ ® B,^)))..)) 


Fa 


Z)0!(Z) — oC 0 Q)0!(Z) 0 Q 0 Q — 0 /) — oC0?Q 


Fq 


D ® D ® B(»\(B^C ® <3)®!(D ® <3 ® Q^I)^C (» I (» C 


Ft 


B (» B (» B (» B (»Q (» Q(A\{B^C ® Q)®!(D ® Q ® Q^I)^C ® ® (7 ® / 


Fg 


B(A B(A B(AQ<BQ<A Q(A\{B^C ® Q)(»\{B ® Q ® I B X 



Table 8. Some problems for MlCC 



Fi 


llprover 


linseq 


linres 


linTAP 


Fa 


0.95 


0.03 


0.03 


< 0.01 


Fe 


- 


0.15 


0.05 


0.13 


Ft 


- 


4.63 


0.07 


13.67 


Fs 


n/a 


n/a 


n/a 


11.75 



Fi 


llprover 


linseq 


linres 


linTAP 


Fi 


0.08 


0.02 


0.02 


< 0.01 


F2 


61.05 


0.17 


0.05 


0.03 


Fa 


- 


0.33 


0.08 


0.05 


Fi 


- 


- 


- 


0.28 



Table 9. Timings for the problems from Table 8 



^ Measured on a Sun SPARC 10 in seconds; means that no proof was found within 
100 seconds. F 2 is the most difficult example from [24] (linTAP solves all other prob- 
lems from [24] in less than 30ms); F 3 is from [23]. The predicates in F^ to Fg can be 
interpreted as follows: D=” dollar”, Q=” quarter”, (7=”Coke”, J =” ice-cream” . For- 
mula Fe, e.g., then expresses the following situation: for one dollar I can buy a Coke 
and get a quarter back, and for one dollar and two quarters I can buy an ice-cream; 
so if I have three dollars I can buy two Cokes and one ice-cream (see [5] for a similar 
approach on deductive planning). It is possible to use (free) variables: formula Fg 
contains a variable X which will be bound to an appropriate predicate symbol (i.e. 
J) to make the formula valid (only linTAP offers this feature). 

^ The linTAP implementation uses an additional technique to simplify formulas of type 
a of the form F(3lo or ujQF replacing them by F (where ©e{^ 
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6 Conclusion 

We have presented prefix-based tableau calculi for MSCC and MlCC. We en- 
coded the additional non-permutabilities arising in multiplicative linear logic by 
an additional string unification. These calculi are the basis for our tableau prover 
linTAP. linTAP is not only a very compact implementation but compares favorable 
with other (larger) implementations. Due to the compact code the program can 
easily be modified for special purposes or applications. 

Future work include the extension to larger fragments of linear logic and the 
comparison of linTAP with a connection driven proof search procedure (see [15]). 

Besides the original leanlAP implementation for classical first-order logic, 
lean tableau provers are also available for various non-classical logics, i.e. first- 
order intuitionistic logic (ileanTAP, [21]), and the propositional modal logics K, 
KD, KT, and S4 (ModLeanTAP, [4]). The linTAP implementation fills the gap 
for the multiplicative linear logic. The source code of linTAP can be obtained at 
http : //www. intellektik . inf ormatik . tu-darmstadt . de/~ j eotten/linTAP/ . 
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Abstract. The paper presents a tableau calculus for a linear time tem- 
poral logic for reasoning about processes and events in concurrent sys- 
tems. The logic is based on temporal connectives in the style of Transac- 
tion Logic [BK94] and explicit quantification over states. The language 
extends first-order logic with sequential and parallel conjunction, parallel 
disjunction, and temporal implication. Explicit quantification over states 
via state variables allows to express temporal properties which cannot 
be formulated in modal logics. 

Using the tableau representation of temporal Kripke structures presented 
for CTL in [MS96] which represents states by prefix terms, explicit quan- 
tification over states is integrated into the tableau calculus by an adap- 
tation of the d-rule from first-order tableau calculi to the linear ordering 
of the universe of states. 

Complementing the CTL calculus, the paper shows that this tableau 
representation is both suitable for modal temporal logics and for logics 
using temporal connectives. 



1 Introduction 

When extending first-order logic to temporal logic, most approaches are based 
on modal operators^ such as LTL/CTL or Dynamic Logic. Here, formulas are 
modified via modalities - inducing an implicit quantification over states. For- 
mulas are evaluated wrt. states or (infinite) paths, thus they do not support an 
intuitive notion of sequentiality or parallelism. 

For reasoning about processes and events in concurrent systems, temporal 
connectives such as sequential, parallel, and alternative composition or itera- 
tion are well-known from process algebraic formalisms. First-order- logic based 
formalisms using temporal connectives (which implies evaluating formulas wrt. 
finite path segments) are rare, although they have obvious advantages when rea- 
soning about temporal behavior of processes. For Transaction Logic [BK94], it 
has been shown how to write executable specifications in such a formalism. 

There are some temporal constraints which cannot be expressed in temporal 
modal logics, e.g., that “if some state is reached such that a given predicate p 
has the same extension as now, then q holds in this state” (cf. [TN96,CT98]). In 
[CT98], it is shown that this can be expressed in 2-FOL which is a two-sorted 
first order language for dealing with a linear temporal state space by 
Vsi, S2 : (Vx : p{ap si) ^ p{ap S 2 ) A < S 2 ) q{s2) - 

Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 232-246, 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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This example motivates that an explicit quantification and addressing of states 
via state variables would be useful in a temporal logic. 

In [MS96], a tableau semantics for first-order Kripke structures has been 
presented, together with a tableau calculus for first-order CTL. There, states 
have been described by prefix terms which provide a natural way to adapt the 
7 and ^-rule to quantification by state variables. 

In the present paper, it is shown how the same approach applies for this 
temporal logic based on temporal eonneetives and explicit quantification over 
states. 

The paper is structured as follows: After introducing some basic notions 
in Section 2, a (linear-time) logic for formulating complex events and dynamic 
constraints is presented in Section 3. Section 4 contains the tableau semantics for 
linear Kripke structures, and the tableau calculus is given in Section 5. Section 6 
closes with some concluding remarks. 

Related Work. Most of the work in Temporal Logics focuses on modal logics, 
e.g., CTL, modal /x-calculus, or Dynamic Logic. An overview of tableau calculi 
for (modal) temporal logics have been summarized in [Wol85], a recent one is 
described in [MP95]. Interval Logies contain operators for sequential composition 
and iteration similar to those known from programming languages [Mos86]. A 
tableau method for interval logic has, e.g., been presented in [BT98]. Other 
formalisms for expressing temporal constraints in non-modal logics are dealt 
with in [Sin95], [BK94], [Pra90], [Jab94], and [TN96,CT98]. 

2 Basic Notions 

Let A be a signature consisting of a set Ufunc of function symbols a set Upred of 
predicate symbols with fixed arities ord(/) resp. ord(p), and Var := {xi,X 2 , . . .} 
an infinite set of variables. Let Term^ denote the set of terms over S and Var. 
The notions of bound and free variables are defined as usual, free{T) denoting 
the set of variables occurring free in a set JT of formulas. 

A substitution (over a signature U) is a mapping a : Var ^ Termi,' where 
a{x) 7 ^ X for only finitely many x G Var, here denoted by [a(x)/x]. Substitutions 
are extended to terms and formulas as usual. 

A first-order structure I = {1,U) over a signature U consists of a universe U 
and a first-order interpretation 1 of A which maps every function symbol / G A 
to a function i (/) : U and every predicate symbol p G A to a relation 

I{p) C 

A variable assignment is a mapping y : Var ^ U. For a variable assignment 
X, a variable x, and d e the modified variable assignment xt is identical with 
X except that it assigns d to x. Let S denote the set of variable assignments. 

Every interpretation induces an evaluation I : Termi; xS ^ U s.t. J(x, x) : = 
X(x) for X G Var, and I(/(ti, ..., t^), x) := (i(/))(I(ti , x), ^(^n, x)) for / G A\ 
ord(/) = n and G Termi,'. The truth of a formula F in a first-order 

structure I under a variable assignment x? (^: x) H ^ is defined as usual. 
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3 Temporal Connectives and Quantification 

Temporal specifications consist of combining subformulas by temporal connec- 
tives. The logic presented here incorporates the following facilities: 

— 0 denotes sequential conjunction via subsequent path segments and x de- 
notes a parallel conjunction on the same path segment. 

— E* denotes finite iteration, mostly limited by a first-order condition on a 
state which is tested between each two iterations. 

— Constraints are specified by constraint formulas in an if-then- style. In tem- 
poral context, there are three possible implication constructs (if . . . then be- 
fore/later/sometimes . . . ). With a suitable synchronization formalism, they 
can be formulated by a single causal implication E F. 

— Via temporal quantification, formulas introduce “private” synchronization 
points which represent agreements local to processes. 

From the modeling point of view, synchronization points are virtual entities. 
This idea shows some similarities with first-order existential quantification of 
a variable x: there is a local agreement (binding), which entity is meant by x, 
without identifying it extensionally. This information is kept local to the scope 
of the quantifier. Following this idea, synchronization points are handled via a 
set SVar of state variables Si which can be bound to states. 

The logic is interpreted by linear first-order Kripke structures which are 
augmented by a transition oracle (cf. [BK94]) representing the actions which 
are executed in the state transitions. A linear first-order Kripke structure over a 
signature A is a pair K = (U,M)^ where is a universe and M is a mapping 
from the natural numbers to first-order interpretations Mfn) over K. Since a 
constant universe is presumed, the notion of a variable assignment is defined 
as in the first-order case. For every transition from n to n + 1, the transition 
oracle yields an interpretation N{n) of a set Ka of action symbols similar to 
predicates. Having (wi, . . .u^) G (AT(n))(a) for a E Ka in the transition oracle 
means that a(wi, . . . ,w^) is executed in the transition from n to n + 1. 

Definition 1 (Action Formulsis). Action formulas are first-order formulas 
over the signature Ka U Kfunc- Action formulas are evaluated wrt. transitions 
K(i,i+1) as (iT(i,i-hl),x) h • • -An) ^ (M(i)(ti,x), • • . , M(i)(tn, x)) € 
7V(n)(a), using the transition oracle. 

Definition 2 (ECL-Event Formulsis). The language of ECL formulas over a 
first-order signature S and an action signature Sa is defined inductively. With 
every ECL formula E, a length len(E) C lNu{cx)}, is associated; the addition 
on subsets o/N U{cx)} is defined as N -\-M := {k : 3n E N E N \ k = n + m}. 

1. Every first-order formula (f is an ECL formula of length len((/p) = {0}. 

2. d and _L are ECL formulas with length len(^) = len(_L) = U {oo}. d 
denotes idling for an arbitrary time, _L denotes an action which can never 
be executed successfully (often called deadlock^. 
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3. Every action formula E is an ECL formula of length len(E) = {!}. 

4-. With s a state variable and E an ECL formula such that s is not free in E, 

— s t>E is an ECL formula with len(s p> e) = len(E)^ and 

— if len(E) C\¥l ^ 0, E <] s is an ECL formula with len(E <] s) = len(E) fl IN. 
Then, s is free in st>E and E<s (prefixing or postfixing with a synchronization 
point). 

5. With E an ECL formula with len(E) nlN 7 ^ 0 and F an ECL formula, E0F 
an ECL formula, len(E(8)F) = (len(E) nlN) + len(F) (sequential composition). 

6. With E and F ECL formulas with len (e) n len (f) 7 ^ 0, EXE is an ECL formula 
with len(E x f) = len(E) fl len(F) (parallel composition). 

1. With El, . . . ,En ECL formulas, Xli<z<n W is an ECL formula with 
len(^i<^<^ E^) = len(=e^) (alternative composition). 

8. With E an ECL formula, E* is an ECL formula with len(E*) = {n \ 3k e 
lN,ni, . . . , G len(E) and n = ni + . . . + n^} (finite iteration). 

9. With E an ECL formula and x a variable, Wx : E and 3x : E are ECL 
formulas, len(Vx : e) = len(3x : e) = len(E). 

10. With s a state variable and E an ECL formula, : E and - if 00 e len(E) 
- ms : E are ECL formulas, len(#s : e) = len(E), len(Bs : e) = { 00 } (intro- 
ducing a state variable). 

• Each of the above ECL formulas is an ECL-event formula. 



ECL-event formulas hold on a segment of a Kripke structure. For a linear Kripke 
structure K and i < j such that i G IN, j G IN U {00}, the expression K[i,j] 
denotes the whole structure, with the focus on the segment [i,j]. 



Definition 3 (Assignment of State Variables). Eor a linear Kripke struc- 
ture, an assignment C of state variables is a function which maps every state 
variable to a state of K , i.e., a natural number. 

The modification of an assignment ( of state 

variables at one element is defined in the same way as for first-order variable- 
assignments: Eor an assignment ( of state variables, a state variable x, and 
n G IN, the modification is identical with ( except that it assigns n to the 
state variable s: 



C : SVar 



IN 



^ ((f) 



if s , 
otherwise 



Definition 4 (Semantics of Event Formulsis). Let K be a linear Kripke 
structure with a universe U, x ^ variable assignment, ( an assignment of state 
variables. Then, \= is extended to ECL formulas as follows: 

1. Eor a first-order formula: {K[i,j],x) \= T j {M{i),x) H T • 

2 . (K[i, j],x,C) h ^ for alii <j, and {K[i,j],xX)h ^ for no ij . 

3. Eor (f an action formula: {K[i,j],x) \= T j = ^ + 1 {K (f,j) ,x) H T- 

4 . (K[i, j],x,C) h ^ t> E ({s) = i and {K[iJ],xX) ^ 

(^[C h E < 5 ({s) = j elN and {K[iJ],xX) - 

5. (X[i, j], X, C) 1= E 0 F :<=> there is a k s.t. {K[i,k],xX) \= ^ 

and (K[kJ],xX) h E • 
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6- (K[i, j],x, C) 1= E X F :0 {K[i,j],xX)\=^ and {K[i,j],xX)\=P ■ 

there is a 1 < k < n s.t. {K[i,j],x,C)\=^k- 
8. {K[i,j],xX)\=^* there is a k > 0 s.t. {K[i,j],X: C) |= E 0 E 0 . . . 0 E . 

(note that for k = 0, this means true) k-times 
9- (K[i, j],x,C) 1= 3x : E there is a deU s.t. {K[i,j],xi,Q\=^, 
(K[i,j],x,C) HVx:E :0 foralldeU, {K[i,jlxtO ^ ^ ■ 

10. {K[i,j],xX) 1= ♦« : E :0 there is a k : i < k < j and {K[i,j],xXs) \= E, 
{K[i,j],x, 0 1= "s : E :0 j = oo and for all k>i, {K[i,j],xXs ) 1= E • 

As short notations, e*F:=E(8)^(8)F and Ei + • • • + E^ := 
used. 

Remark 1 (Semantics of ECL). Note, that in this definition, if F is an ECL 
formula and E is a sub formula of F, the segment of the Kripke structure which is 
looked at for E is always contained in the segment which is looked at for F. This 
will not be the case in Definition 6 where the semantics of temporal implication 
is defined. 

ECL-event formulas without universal temporal quantification describe finitely 
detectable events: 

Proposition 1 (Finite Satisfiability). Let E he an ECL-event formula which 
does not contain Ms. Then, if a (possibly infinite computation) satisfies E (i.e., 
an event described by E occurs in the computation) then already a finite prefix of 
this computation satisfies E. Eormally, {K[i,j],xX) |= E implies that there is a 
(unique least) i <k < j such that k < oo and {K[i,k],xX) H E. 

Eor the proof, one must consider that an infinite sequence only satisfies formulas 
which contain either M or a final delay (this will change with the introduction of 
temporal implication in Sec. 5). 

As a consequence, events of infinite length, i.e., len(E) = {oo} (note that these 
are exactly those events which contain ■ in all their alternatives), cannot be 
postfixed: there is no state where an action “raising” such an event can be 
terminated. 

Example 1 (Event Eormulas). 

— Iteration: a state will be reached where F holds, an then, E is iterated until 
G is satisfied: ^ (g) E' (g) E* (g) G . 

— Conditional execution: If the set of elements for which some ECL formula 
e(x) should be satisfied should be restricted by some first-order formula 

this can be formulated as :Wx : (g) e(x)) + (-k/?(x) (g) d)) < s . 

— Consider a workflow, consisting of several jobs, each of them can be per- 
formed by several ways, consisting of a first and a second part. The addi- 
tional condition is that all first parts are finished before some second part is 
started: This is done by a synchronization variable local to the process: 

Workflow = : (Jobi x Job 2 x . . . x Job^) , 

Johi = Way^ 1 H ^ Way^^^. , 

Way^^_^- = ^ (g) Eirsti J (g) ^ < s (g) ^ (g) Second^ j (g) d . 
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3.1 Constraints 

Constraints can be used for describing processes from another point of view: in 
a declarative way, computations not satisfying a given set of constraints can be 
ruled out. Temporal constraints are specified by constraint formulas in an if- 
then-style. With the above synchronization formalism, the temporal implication 
constructs “z/. . . then before/later /sometimes ...” can be formulated by a single 
implication and state variables. 

Definition 5 (Constraint Formulas). For expressing temporal eonstraints, 
an additional eonneetive is added to the syntax of ECL formulas: 

11. For ECL formulas E,F, E F Z5 an ECL (eonstraint) formula with len(E 
f) = 0 (temporal implieation) . 

Definition 6 (Semantics of Constraints). Let K he a linear Kripke strue- 
ture, X ^ variable assignment, ( an assignment of state variables. Then, \= is 
extended to as follows: 

11. {K[iJ],xX) \= P) i = j and if {K[i,ki],xX) \=P for some ki, 

then (K[ 0 ,k 2 ],xX) \= F for some k 2 ■ 

Note that E _L is ECL’s negation, i.e., requires that an event E is not detected. 
In contrast to ECL-event formulas (cf. Remark 1), for a general ECL-constraint 
formula, the whole path has to be considered for evaluating the consequence. Eor 
negation via temporal implication, the focused segment has not to be extended. 
A constraint is evaluated wrt. one state and has length 0. 

Proposition 2 (Connectives of [Jab94]). The eonstraint eonneetives used 
in [Jah94] can be defined as derived symbols: 

— ^^Deadline^^ : eventually D will be satisfied, and before, C has to be satisfied: 

D < C {d (g) D C) d) X Ms : {{d (g) s t> D) {d (g) C (g) d <] s)) . 

— “Delay^^: C ean only oeeur if D oeeured before: 

C > D Bs : (^ (g) s [> C) {{d ^ D ^ d <] s)) . 

Example 2 (Constraints), (assume E,F, and G to be action formulas) 

— After F, E will never be satisfied: (^ 0 F • e) _L , 

— if E and later F are satisfied, then between them, G must eventually be 
satisfied: Msi, S 2 : (^ 0 E < si • §2 t> f) '^ (^ (g) p> ^ (g) G (g) ^ < § 2 ) • 

— between E and the next F, G is not satisfied: 

MSi, S2 : ((^ (g) E < Si • S2 t> f) X ((^ (g) Si > ^ (g) F (g) ^ < S 2 ) -L)) 

((^ (g) Si [> ^ (g) G (g) ^ < S 2 ) -L) . 

— if E is satisfied, in the state before, L' holds: Bs : (^ (g) s p> e) '^ (^ (g) T' < s). 

Example 3 (2-FOL). The 2-EOL formula given in the introduction which is not 
expressible in LTL, CTL etc. can be expressed in ECL by 

Bsi, S 2 iyx{{d (g) (si > p{x)) (g) ^ (g) (S 2 t> p{x)) O d)-\- 

[d (g) (si > {-^p{x))) (g) ^ (g) (S 2 t> {-^p{x))) (g) d))) do {S 2 > q) . 
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4 Tableau Semantics for Linear Kripke Structures 

The tableau semantics and -calculus is a linear-time adaptation of the one 
presented for first-order CTL in [MS96] which uses branching time first-order 
Kripke structures as underlying semantics. For the first- order part, the well- 
known first-order tableau calculus is embedded into the tableau calculus which 
is constructed. It is necessary to describe many individual states as well as the 
relations between them in the tableau, including the ordering of states. Thus, 
three kinds of entities have to be described: Elements of the universe inside 
states, states, and the path with its transitions. In the chosen semantics, ele- 
ments of the universe and states will be explicitly named when their existence 
is stated by a formula: 

— Elements of the universe: a new constant resp. function symbol is introduced 
by the usual ^-rule when an existential quantifier is processed. 

— States: states are named when their existence is required by a complex event. 

In general, between two known states there can be many other still unknown 
states. These can be named when needed. Thus, a straightforward resolving of 
eventualities at any time is possible. A similar approach for PLTL where only 
the relevant states are generated has been used in [SGL97]. 

To allow the naming of states at any position of the model, the description of 
the path contains, apart from the (partial) ordering of known states, additional 
information about formulas which have to be true in still unknown states on the 
segments in-between. These are used when new states are explicitly named. 

Representation. As a conceptional extension of first-order tableaux, every branch 
of the tableau corresponds to a linear Kripke structure with a transition oracle. 
Apart from the first-order portion, information about the frame and the transi- 
tions has to be coded in tableau nodes. Eor distinguishing and naming of states, 
a tableau calculus based on the free variable tableau calculus given in [Eit90] 
augmented with prefixes is employed: A formula assumed to be true in a 
certain state, occurs in the tableau as state prefixed formula j:F. Additionally, 
path information formulas contain the information about the prefixes situated 
on the path. 

Thus, the signature AV used in the tableau is partitioned into AA (first-order 
part), Fa (action symbols), and AV (prefix symbols). 

Al is obtained by augmenting A with a countable infinite set of n-ary skolem 
function symbols for every n G IN and a countable infinite set of variables A^. 

Up is a set of prefix symbols containing an infinite set of n-ary prefix symbols 
for every n G IN. The construction of prefixes corresponds to the use of skolem 
functions in the first-order tableau calculus. Here the prefix symbols take the 
role of the skolem function symbols. Analogously to the skolem terms containing 
free variables resulting from invocations of the 7 -rule, prefixes 7 are terms con- 
sisting of a prefix symbol 7 of an arity n and an n-tuple of terms as arguments. 
Additionally, there is a 0-ary symbol 00 which is no prefix symbol but is used in 
a similar way. 
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Definition 7 . Let Up he the set of prefix symbols and the subset of U which 
is interpreted state-independently. Then the following sets Up and T are simul- 
taneously recursively defined: 

Up := A'U {/ I / an n-ary skolem function symbol} U {/^ | / G G T} , 

with ord(/^) = ord(/) and skolem functions and all fj interpreted state-indepen- 
dently, thus 

Uf := U {/ I / an n-ary skolem function symbol} U {/^ | / G 7 G T}. 

The set 0/ prefixes is given as 

r := {7(^1 , . . . ,tn) I 7 G AV is an n-ary prefix symbol, ti, . . . ,tn C Term^c }. 

For r C Termi;^, it is precisely the leading function symbol which is a prefix 
symbol taken from Up, and all argument terms are in Termite. For ^1, K 
induces a state-independent interpretation {K,U). 

An interpretation of Sq — describing a Kripke structure K = {U,M) - 
is accordingly partitioned: The interpretation of Up is taken over by the set 
{M{i) I i G IN} of first-order interpretations, and the symbols of Ua are inter- 
preted by the transition oracle. Complementary to this, an “interpretation” of 
the prefix symbols in A^ is defined. The corresponding evaluation maps prefixes 
to natural numbers: 

Definition 8. A prefix interpretation of a set Up of prefix symbols to a linear 
Kripke structure K = {U , M) is a mapping tv : {Up U {do}) ^ ^ IN U {00} 

which maps every ra-ary prefix symbol j e Up to a function iv{^) : 

IN U {00} with 7 v{'j) = 00 ^ j = 00 . Defining JTk •= (tt U iC,IN U {00}), 77 
is organized similarly to a first-order interpretation I = { 1 ,U) with a mapping 
7T and the ‘^universe^^ IN U {00}, inducing an evaluation II k • {T U {do}) x 
Termi^’c ^ IN U {00} of prefixes as follows: 

For 7 = 7(7 1 , . . . , tn) C 7 ^ { thus ti G Term pc evaluated state-independently by K ), 

UKil.x) := W 7 ))(^(ti, A), • • •.KiU.x)) - 

Finally, the interpretation of the derived function symbols fj is defined state- 
independently for all i as 

. . .,tn),x) ■= ,x))){f A, ■ ■ ■Tn),x) ■ 

Tableau formulas. Logical formulas occur in the tableau as prefixed formulas, 
additionally, the Kripke frame is encoded in path information formulas (pifs): 
An additional symbol V can occur instead of prefixes and state variables as an 
auxiliary “generic prefix”. V is instantiated by a prefix when a state on the 
respective segment is explicitly named. 

Definition 9 (Syntax of IE Tableau Formulas). 

7 . For an ECL formula P with state variables si, . . . , and prefixes 71, . . . , 7n C 
7 ^ U {v}; P[ji/si , . . . ,7n/-Sn] is CL TE -path formula. 

2 . With : P and Ms : P a TE-path formula and 7 a prefix, : P and 

Mspj : P are TE-path formulas. 
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3. For a IE -path formula F and 7 G T U {v}; j:F is a 7E -prefixed formula. 

4- Every 7E -prefixed formula whieh does not eontain V is also a TE-node for- 
mula. 

5. With 7o, 7i, • • • prefixes and Li a eonjunetion of IE -prefixed formulas, 

[jo, Li, . . . LnyOo] is a IE -path information formula. 

6. Every IE -path information formula is a IE -node formula. 

Remark 2 (Properties of IE formulas). Note that, 7F-path formulas do not con- 
tain any free state variables, and the restricted quantifiers and Ms>j occur 

only in the outermost positions of 7F-path formulas. 



Definition 10 (Semantics of IE Tableau Formulas). The relation h of a 
linear Kripke structure with a transition oraele K = (U,M), a prefix interpre- 
tation 77; a variable assignment x, and a IE -node formula is defined as follows: 

— For every IE -path formula E neither containing V nor beginning with 

or Ms>j and every prefix 7 ; let 71 , . . . ,7n be the prefixes occurring in E, 
si, ... ,Sn new state variables and (={sj 1 -^ 77 ( 7 ^, 7 ) | 1 < j < n}. Then, 

{K, 77, x) |=H 7-^ there is an i U {cx)} s.t. 

{K[n{-f,x),i],X,0 \=^[sihl,---,Snhn] ■ 

(In particular, for an action formula E, 

(K,77,x)^ 7:E (K(77(7, x), 77(7, x) + 1), x) h E , 

i.e., if the transition from TI{XiX) to + 1 satisfies E under x-) 

— For every IE -path formula beginning with or and every prefix a, 

{K,n,x) |=h ^ {K,nu{S^i},x) |=h for some i > 77 ( 7 , x), 

(K, 77, x) ^ {K , nu{6^i}, x) ^ a:F[6/s] for all i > 77 ( 7 , x) • 

— For every path information formula 7 = [ 70 , 7q, 71 , 7i, . . . , 7 ^, 7^, do]; 

(K,n,x) |=h [7o,^o,7i,^i.---.7n,i>n,db] 
iff n{jo,x) = 0 ond for all 0 < i < n: 

n{ji,x) < 7 ^( 7 i+iW) ; and for all j with II{ji,x) < j < ^( 7 z+i.x) • 

{K, II \J {S j},x) Li[S/\l] with S a new 0-ary prefix symbol. 

This condition means that for all (finitely, but arbitrary many) states j sit- 
uated between Tlffi^x) and 77 ( 7 ^+ 1 , x) in K, the instantiation of Li for a 
new prefix which is mapped to j holds in K . 

Note that Li = false implies 77 ( 7 ^+ 1 , x) = 77(7i,x) + 1- 

Note that the semantics for TE-prefixed formulas containing V is not defined. 
They occur only in the list components of path information formulas, and V is 
instantiated by a prefix when the list is used. 

A set F of path information formulas and prefixed formulas is valid in a 
linear Kripke structure K = (U,M) under a variable assignment x if there is 
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a prefix-interpretation 77 such that {K,U,x) ^ Since a branch of a tableau 
is a set of formulas like this, validity is a relation on Kripke structures with 
transition oracles and branches. 

The construction of Kripke structures and consistent prefix-interpretations 
to a given set of formulas plays an important role in the proof of correctness. 



5 The Tableau Calculus IE 



As usual, the tableau is initialized with a set of formulas which should be proven 
to be inconsistent, i.e., it is shown that there is no linear Kripke 
structure K = {U,M) such that F does holds in 7V7(0). Thus 
the initialization of the tableau is 

The q;-, /?-, 7-, ^-rules for first-order formulas are as usual (extended with pre- 
fixes), boolean combinations of prefixed formulas are resolved analogously. 

Atomic Closure Rule. For a substitution a and a prefix 7, is the 7- 
localization^ i.e. is obtained from <r(A) by replacing every function symbol 

/ G by its localized symbol fj. So 

the substitutes in contain only func- 
tion symbols which are interpreted state- 
independently. In the rule shown at the 
right, a is a substitution and A, B are atomic 
formulas. 

For resolving modalities, the information about the frame of the Kripke struc- 
ture, which is encoded in the pifs, is used. In a single step, a prefixed formula 
is resolved “along” a pif, inducing the following form of tableau rules: 

where the premise takes the latest pif on the 
current branch. The connection between the pre- 
fixed formula being resolved and the pif is es- 
tablished by the prefix. 

In the sequel, T denotes the current branch of the tableau, free (7’) the free 
variables on T, 7 is a new prefix symbol, and E is an ECL- formula. 

Prefixed Event Formulsis. For a prefixed event formula, the prefix must co- 
incide with the respective prefix of the prefixed formula in the 
tableau (i.e., a : /? p> e) requires o; = /?.^(Here and in the 
following, j3 = a evaluates to close if a and /? are different 
prefixes, and to true otherwise.) 

Postfixed Event Formulas. For a postfixed formula E < /?, it has to be dis- 
tinguished whether E is elementary, i.e., a delay, a deadlock, an action formula, 

^ here, the reader is asked to distinguish between a prefix 7 : E and prefixing or 
post fixing a formula by 7 > E or E <] 7. 



o; :(/?[> e) 
f3 = a 

a : E 



prefixed formula 
path information formula 
prefixed formulas 
path information formulas 



7 : A 
7 : B 

<j(A) = -ia(i^) 

close 

apply aj to the whole tableau. 



[0, true, cx)] 
6 : F 
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or a first-order formula, or whether it is itself a complex event. The postfixing- 
operator < associates a synchronization point with the last elementary com- 
ponent of an event. Thus, postfixes can only be resolved if this final event is 
associated with a transition, otherwise, the formula has to be rewritten. The 
base cases also act as closure rules if the assignment of prefixes is inconsistent: 



a : E 0 7 , len(E) = {1} , 


a : F <] , len(F) = {0} 


a : d <] 


, O, L , j3 , ...] 


= a 


... , o, ...] 


a, false, j3 , ...] 


a : F 


close 


III 






a : E 







Definition 11 (Normal Form wrt. Postfixes). The syntactic operator G re- 
writes postfixed eomplex ECL formulas sueh that len(E)n{2,3, ...} ^ ^ hy moving 
the postfix inside the outermost event eonneetive: 



6>((e < t) < s) 



f(E<t)<s i/len(E) G , 

( 6>(6>(e < t) <] s) otherwise , 



G{{t [> e) < s) :=t> (e<]s) , 

6>((e (g) f) < s) := e (g) (f < s) , 

6>((e X f) < s) := {e < s) X {f <] s) , 
G{{e + f) < s) := (e < s) -h (f < s) , 



6>((e*) < s) := true < s + E* (g) (e < s) , 
G{(3x : e) < s) := : (e < s) , 

6>((Vx : e) < s) := Vx : (e < s) , 
olios' :e) <] s) := : (e < s) . 



Note that formulas of length len(E) = { 0 } are (possibly pre- or postfixed) first- 
order formulas or temporal implications, and formulas of len(E) = {1} are (pos- 
sibly pre- or postfixed) action formulas. Thus, G is the identity on temporal 
implications E F (since len(E f) = { 0 }). Postfixing of formulas of the form 
Ms : E is not defined, d is not a complex event formula. 

The above definition is not recursive, but denotes only a one-level rewriting of 
the parse-tree of the formula (which is typical for tableau calculi) - G does not 
occur on the right hand side. Only when G is iterated, a normal form is obtained: 



Proposition 3 (Normal Form wrt. Prefixes and Postfixes). For every lin- 
ear Kripke strueture K, ECL formula E, variable assignment x assignment ( 
of state variables, (iT[i, j], x, C) |= E (iT[i, j], x, C) H iterated ap- 

plieation of G yields an expression where only formulas E s.t. len(E) G 
or delays are postfixed. 

In non-base cases, the operator G is 
applied for rewriting the formula: 



Alternative and parallel compositions. 

These connectives are disjunc- 
tive and conjunctive, respec- 
tively, and are resolved analo- 
gously to the o- and /?-rules of 
first-order tableau calculi: 



« : Ei=i. 


E7 

..n ^ 


a : (Ei X ... X E„) 


a : El 1 


1 0 : Eji 


a : El 






0 : Efi 



a :E<] f 3 , len(E) H { 2 , 3 , ...} 7^ 0 
q; : G(e < f 3 ) 
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Sequential Composition: E 0 F. Semantically, the brackets around composite 
events of the form ...E^) and (ei x ... x E^) can be regarded as synchronization 
points, i.e., (virtual) entities in the sense of the tableau representation: Detecting 
an event E 0 F in o; is equivalent to the event 
: (e < s) 0 (s p> f) where s must be bound to 
a state after the current state. 

With the rules for (see below), the state 
variable in a : : (e < s) 0 (s p> f) is instan- 

tiated systematically with the prefixes. Then, 
the resulting formula o; : (e</?)0 (/?[>f) can be 
split into two parts (“sequential conjunction”). 

Shortcuts can be defined when one of the events is a base case, i.e., a delay, a 
first-order formula, or an action formula. 

Iterative Composition. Iterative composition is 
reduced to sequential composition: 

Temporal Quantification. 

Due to the fact that there is a linear ordering between states, the 7- and ^-rules 
cannot be adapted to temporal quantification of synchronization points; instead, 
every synchronization point must be integrated into this ordering. For this, anal- 
ogous to the resolving of eventuality formulas in the tableau calculus for CTL, 
synchronization points are shifted along path formulas. The rules correspond 
to a systematic application of the 7- or ^-rules, known from first-order tableau 
calculi for universal and existential quantification, along the state sequence. 



a 


: E* 


q; : true 


q; : E 0 E* 




a : Ms : E 

Q; : Ms>a • E 


(X : : E 


ExpL: e[V/s] holds for all 
subsequent states - i.e.. 


a : : E 


A a : e[v/s],7 
q; : E[f3/s] 

if 7 7 ^ cx): a : : 

a : ^s>i3 


, ...] for q;, for all unknown 

states between o; and 7, 
E and for all states > 7. 

: E 
,...] 


• ^S>a • E 


a : e[PI s] 


(3,L /\ a: e[V / s] 


if 7 7 ^ CX): 




0ree(r)),L,7,...] 


L A a : e[v/s]--^_L,7, ...] 




L[< 5 (freeCi'))/v] 


q; : E[f3/s] _L 




a : (e[/?/s] J.) 

a : E[( 5 (free("i'))/s] 


cx : : E 



ExpL: e[v/<s] holds for some subsequent state - thus, this must be a, or some 
state between a and 7 which becomes named in this case, or some state > 7 - 



Here, the second part of the consequence of the rule for names a state 

^(free('i')) which is considered to be relevant (since it is a possible instantiation 
of s). In this case, the list L in the path information formula states some re- 
quirements on all states on a path segment - thus, also on ^(free('i')). These are 
made explicit by instantiating L with ^(free('i'))/V. 
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Temporal Implication. When resolving constraints E F, in the base case, 
E is a first-order formula or an action formula or a delay: 



for F a first-order formula 


q; : F F 


q; : ^ F 


or an action formula: 


a : -iF 


a : F 
6 : F 


0 : F 



By applying the following rules, constraints are rewritten until the antecedent 
consists only of a first-order formula or an action formula: 



q; :(/?[> e) F 


q; : (e-Lf) G 


a : {^s : e) F 


q; : (e f) 


^ G 


a = f3 

q; : F F 


a ^ P 


q; : F G 

q; : F G 


a : Ms>a : (e f) 


a : E 

6 : (f _L) 


a 


: F F 

6 : G 



A ExpL: if E implies F 
then G holds, if either E 
F does not hold - i.e, E is 
detected and F cannot be 
detected, or E F hold 
and G can be detected. 

Postfixed event formulas require additional attention: base cases can be resolved 
immediately, non-base cases have to be rewritten: 



a : (e < F , len(E) = {0} 


q; : (^ < q;) F 




P ^ a 


P = a 
a : E'-^ F 


0 : F 




a : 


(e < F , len(F) = 

, 0^, L j 7? •••] 


= {1} 


13^1 


[...,o;,false,<5(freeCi')),L,7,...] 

L[<5(freeCi'))/V] 

/?= 7 


[...,o;,false,7,...] 

/?= 7 
q; : F F 



ExpL: Eirst case: 7 ^ is the next known state - thus, /? is later than a + 1, 
then E < /? cannot be detected in a. 

Second case: /? = 7 is the next known state, but not the successor state. 
q; : F q; : (^ < /?) '^ F o; : (e < F 

len(E) n {2,3,...} ^ 0 

0 : F close a : 0{e < f 



Some constraints show a special behavior: Since F* 
has trivial occurrences, e* F reduces to 0 : F: 

Events of the form Ms : E cannot be finitely detected, thus, implications contain- 
ing them in the antecedent have to be resolved in a different way. a : (Ms : e) F 
is equivalent to the fact that ei 
later than a such that a : E[f3 
K satisfies F: 



Lther there is a state f3 
I s] does not occur, or 



a : {Ms : e) F 



q; : ♦s : (e ±)\0:F 



q; : E* F 
6 : F 



q; : (e (g) f) G 

q; : Ms>c, : ((e < s) (g) s [> F g)) 
q; : ((e X f) g) 

a : Ms>a • ((g; P>e<s)'^ {d ^ a > e <] s g)) 
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Remark 3 (Properties of IE). IE has some special properties which can easily 
be verified when carefully looking at the rules: 

— every prefix symbol is introduced exactly once, with a given arity and the 
current free variables of the branch as arguments. Thus, for every prefix 
symbol, at every time, there is exactly one prefix which is built from it. 

— every prefix which occurs as prefix or postfix in some formula (i.e., as 7 [> E 
or E < 7) of a branch occurs also in the most recent path information formula 
of the branch. 

— if a branch of the tableau contains a formula of the form a : 01 a : 

^>j 3 '-Pi a ^ the most recent path information formula on this branch is 
of the form o;, 

— there are no free state variables in the calculus: Whereas first-order variables 
are replaced by free variables or Skolem terms, state variables are always 
replaced by prefixes (see the rules for and ♦>7). 

Theorem 1 (Correctness oi IE). 

(a) If a tableau T is satisfiable and T' is created from T by an application of 
any of the rules mentioned above, then is also satisfiable. 

(b) If there is any closed tableau for T , then T is unsatisfiable. 

The proof (see [May98]) of (a) is done by case-splitting separately for each of 
the rules. By assumption, there is a Kripke structure K with a transition oracle 
and a prefix interpretation II such that for every variable assignment y there 
is a branch If in T with {K,U,x) |=H cases apart from the atomic 

closure rule, K and II are extended such that they witness the satisfiability of 
Tk In case of the atomic closure rule, a Substitution Lemma guarantees the 
existence of a satisfying branch for every variable assignment to free(T^). (b) 
follows directly from (a). 

Since first-order ECL is not compact, no calculus for it can be complete. The 
calculus is complete modulo inductive properties. For such cases, induction rules 
for temporal properties and well-founded data structures have to be included. In 
this setting, the notion of completeness has to be relativized to that any proof 
done in a mathematical way can be completely redone formally. 

6 Conclusion 

This paper presents a tableau calculus for a linear time temporal logic which 
is based on temporal connectives instead of modal operators. The underlying 
Kripke semantics is explicitely encoded into the tableau, based on the ideas of the 
tableau representation of branching-time structures in [MS96,May97]. In both 
calculi, exactly those states which are required to construct a potential model of 
the given formula are named explicitly, all states in-between are characterized 
intensionally within the path information. From the conceptual point of view, 
the contribution of the paper is that this tableau representation is both suitable 
for modal temporal logics and for logics using temporal connectives and explicit 
temporal quantification. 
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Focusing on temporal connectives, the logic and the calculus show how tem- 
poral connections between events can be modeled explicitly by synchronization 
points. The calculus integrates this synchronization smoothly into the tableau 
semantics via the introduction of state variables. With the ■ and # operators, 
the handling of state variables is closely related to the strategy for resolving the 
CTL modalities □ and O, making up one more connection between the calculus 
presented here and the CTL calculus. 

Due to its path-orientation, the language is significantly different from CTL 
which is based on state-formulas. Although, the tableau semantics and calculus 
shares its basic ideas with the CTL calculus, allowing a potential integration of 
both calculi. 

References 

BK94. A. J. Bonner and M. Kifer. An Overview of Transaction Logic. Theoretical 
Computer Science^ 133(2):205-265, 1994. 232, 232, 233, 234 
BT98. H. Bowman and S. Thompson. A Tableau Method for Interval Temporal Logic 
with Projection. In Tableaux’98, LNCS 1397, pp. 108-123, Springer, 1998. 
233 

CT98. J. Chomicki and D. Toman. Temporal Logic in Information Systems. In Logics 
for Databases and Information Systems^ Ch. 3, pp. 31-70. Kluwer, 1998. 232, 

232, 233 

Fit90. M. Fitting. First Order Logic and Automated Theorem Proving. Springer, 1990. 
238 

Jab94. S. Jablonski. Functional and Behavioural Aspects of Process Modelling in 
Workflow Management Systems. Proc. CON Tf: Workflow Mo/aagementfl^^A. 

233, 237, 237 

May97. W. May. Proving Correctness of Labeled Transition Systems by Semantic 
Tableaux. In Tableaux’97, LNCS 1227, pp. 261-275. Springer, 1997. 245 
May98. W. May. Integrated Static and Dynamic Modeling of Processes. PhD thesis, 
Inst it ut fiir Informat ik, Universitat Freiburg, Logos Verlag, 1998. 245 
Mos86. B. Moszkowski. Executing Temporal Logic Programs. Cambridge University 
Press, 1986. 233 

MP95. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent 
Systems: Safety. Springer, 1995. 233 

MS96. W. May and P. H. Schmitt. A Tableau Calculus for First-Order Branch- 
ing Time Logic. In Inti. Conf. on Formal and Applied Practical Reasoning, 
FAPR’96, LNCS 1085, pp. 399-413. Springer, 1996. 232, 233, 238, 245 
Pra90. V. R. Pratt. Action Logic and Pure Induction. In Logics in AI: Europ. 

Workshop Jelia 90, LNCS 478, pp. 97-120, 1990. 233 
SGL97. P. H. Schmitt and J. Goubault-Larrecq. A Tableau System for Linear-Time 
Temporal Logic. In Tools and Algorithms for the Construction and Analysis 
of Systems, LNGS 1217, Springer, pp. 130-144, 1997. 238 
Sin95. M. P. Singh. Semantical Considerations on Workflows: An Algebra for Inter- 
task Dependencies. In Inti. Workshop on Database Programming Languages, 
Electronic Workshops in Computing, Gubbio, Italy, 1995. Springer. 233 
TN96. D. Toman and D. Niwinski. First-Order Queries over Temporal Databases 
Inexpressible in Temporal Logic. In Proc. Int. Conf. on Extending Database 
Technology, LNCS 1057, pp. 307-324. Springer, 1996. 232, 233 
Wol85. P. Wolper. The Tableau Method for Temporal Logic. Logique et Analyse, 
28:110-111, 1985. 233 




A Tableau Calculus for Pronoun Resolution 



Christof Monz^’^ and Maarten de Rijke^ 

^ Institute for Computational Linguistics (IMS), University of Stuttgart, 
Azenbergstr. 12, 70174 Stuttgart, Germany. E-mail: christof@ims.uni-stuttgart.de 
^ ILLC, University of Amsterdam, Plantage Muidergracht 24, 1018 TV Amsterdam, 
The Netherlands. E-mail: {christof, mdr}@ wins. uva.nl 



Abstract. We present a tableau calculus for reasoning in fragments of 
natural language. We focus on the problem of pronoun resolution and 
the way in which it complicates automated theorem proving for natural 
language processing. A method for explicitly manipulating contextual 
information during deduction is proposed, where pronouns are resolved 
against this context during deduction. As a result, pronoun resolution 
and deduction can be interleaved in such a way that pronouns are only 
resolved if this is licensed by a deduction rule; this helps us to avoid the 
combinatorial complexity of total pronoun disambiguation. 



1 Introduction 

The general aim of Natural Language Processing (NLP) is to analyze and under- 
stand human language using computational tools. In computational semantics, 
one of the subdisciplines of NLP, two specific tasks arise. First, what is the se- 
mantic value, the meaning, of a natural language utterance and how can we 
determine it. And, second, given the semantics of a natural language utterance, 
how can we use it to deduce further information? In practice, these questions are 
interdependent: to properly represent an utterance, one has to access contextual 
information and check what can be derived from it, and to perform derivations 
in the first place we obviously need to represent our information. 

It is probably fair to say that developing inference methods for natural lan- 
guage is one of the most pressing tasks in computational semantics, and the 
present paper tries to contribute to this area. More specifically, we develop a 
tableau calculus in which deduction and pronoun resolution are interleaved. Be- 
fore diving into the details in later sections, let us give a simple example of the 
natural language phenomenon that we are focusing on. Briefly, we are dealing 
with so-called anaphoric expressions or anaphora; typical examples of anaphora 
are pronouns such as ‘she’, ‘he,’ or ‘it’. Anaphora are resolved to or identified 
with other terms, usually occurring earlier on in an utterance or discourse; such 
terms are called antecedents. Here’s an example: 

(1) A woman found a cat on a playground. She liked it. 

What should ‘it’ in the second sentence in (1) refer back to — ‘a cat’ or ‘a play- 
ground’? As a rule, we, the human language users, don’t have a problems re- 
solving such ambiguities; in the case at hand ‘a cat’ would probably be selected 



Neil V. Murray (Ed.): TABLEAUX’99, LNAI 1617, pp. 247-262, 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 




248 Christof Monz and Maarten de Rijke 



as antecedent for dt.’ But how can a theorem prover that receives (1) as one 
of its premises use it to derive conclusions? As long as the pronoun dt’ has not 
been resolved, this question introduces the problem of ambiguity to the task 
of deduction with natural language semantics. Can we conclude either of the 
following from (1)? 

(2) a. 1= A woman liked a cat. 

b. 1= A woman liked a playground.^ 

One way to tackle this problem is by assuming that anaphoric expressions have to 
be resolved before deductive methods are applied. This assumption is common 
in several approaches to the semantics of natural language, but in practice it 
seems to be too strong and highly implausible, since resolution of pronouns may 
in fact require deductive processing to be completed successfully [A1194]. Here, 
we propose a different approach. We interleave disambiguation and deduction 
steps, where a pronoun is resolved only if this is needed by a deduction rule, and 
where deductive information is used to steer the resolution process. 

In this paper, we assume that the semantic representations for natural lan- 
guage sentences are already given. Of course, this is not a trivial task, and it 
would be far beyond the scope of this paper to discuss this. [Als92] gives an 
overview of the Core Language Engine, an implementation builds (underspeci- 
fied) semantic representations for natural language discourses. 

The rest of the paper is organized as follows. In Section 2 we provide further 
examples and some linguistic background; this section may be skipped by anyone 
familiar with pronoun resolution. Then, in Section 3 we briefiy introduce our 
formal language, and formalize the notion of context that we will need to model 
pronoun resolution interleaved with deduction. In Section 4 the semantics of 
our formal language is defined, and in Section 5 we provide it with a tableau 
calculus. Finally, Section 6 summarizes our results, and in Section 7 we draw 
some conclusions and formulate further challenges. 

2 Some Linguistic Background 

In this section we quickly review some basic facts and intuitions from natural 
language semantics as they pertain to pronoun resolution. Refer to [KR93] for 
further details. 

If a sentence contains a pronoun, the hearer has to identify it with some 
person or thing that has been mentioned earlier to understand this sentence. 
Roughly, one can identify context with what has been said earlier. Of course, 
this blends out other contextual information like world knowledge, gestures, etc., 
but as these non- linguistic sources of context are hard to formalize, in general, 
we will restrict ourselves to the notion of context as linguistic context. 

Saying that a pronoun has to be resolved to something that appears in the 
context does not mean that it can be identified with just anything in the context: 

^ To keep things simple, we do not employ any preference order of the readings, al- 
though this may be desirable in the long run. 
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there are some clear constraints. To illustrate these, we give some examples (the 
asterisk (*), indicates that a discourse is not well- formed). 

The discourse in (3) below is not well-formed, because the pronoun ‘She’ and 
‘a man’, which is the only thing that could function as an antecedent, do not 
agree on gender. 

(3) * A man sleeps. She snores. 

In (4), it is not possible to bind ‘it’ to ‘a car’, because although ‘a car’ was 
mentioned before, its existence has not been claimed, on the contrary, it was 
said that there is no such car. In other words, ‘it’ cannot refer to something 
which is not existing. 

(4) * Buk doesn’t have a car. It is red. 

Conditionals are another interesting case. The if-clause in (5. a) introduces two 
antecedents ‘a linguist’ and ‘a car’ which can both serve as antecedents for 
pronouns in the then-clause. But they cannot serve as antecedents for pronouns 
occurring in later sentences as in (5.b). Roughly, objects that are introduced in 
an if-clause are just assumed to exist, and the then-clauses expresses what has 
to hold, under this assumption. Clauses that follow the conditional sentence are 
not uttered within the context of this assumption, and therefore, their pronouns 
cannot access things occurring inside the assumption. One can say, that the 
assumption expressed by the if-clause is a local context, which is only accessible 
to the then-clause. 



(5) a. If a linguist has a car, then it didn’t cost much. 

b. * If a linguist has a car, then it didn’t cost much. It is very old. 



Universal quantification, as in (6), does not talk about particular individuals 
and it is not possible to refer back to ‘every poet’ with the pronoun ‘he’. The 
same holds for indefinite noun phrases that occur in the scope of the universal 
quantifier. As they depend on each instantiation of the universally quantified 
variable, it does not mean that there has to be a particular individual which can 
be referred to by a singular pronoun. 



(6) Every poet who has published a book likes it. 



J *He is arrogant. 

\ *But it is really bad. 



Summarizing the important points of the above examples, pronouns need to 
agree with their antecedents a number of features, and some information within 
a discourse may be inaccessible to pronouns that occur later in the discourse. 
These two points will play an important role in our tableau calculus below. 



3 Towards Context-Based Reasoning 

This section provides a formal account of context and the way it is dealt with 
in deduction. It will become obvious that deduction with natural semantics is 
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much more structure-sensitive than for instance classical first-order logics. Here, 
we restrict ourselves to those kinds of structural information that is needed in 
order to allow pronoun resolution, but see [MdR98a] for a more general overview 
on this topic. 

3.1 Formalizing Context 

In the preceding section we provided some intuitions about pronoun-antecedent 
relations and the role structural information played in this setting. We will now 
formalize the way in which contextual information flows within a discourse. As 
a first step we introduce the formal language that we will be using. 

Definition 1 (The Language Assuming that and (f 2 CL^e in ^ 

we say that (f is in ^ if: 

::= R(xig,. . . \ \ ^ \ ^2 \ ^ ^2 \ 

MXg (/Pi I 3Xg (/Pi I IXg (/Pi 

where G {he, she, it}- 

Thus, besides the usual logical connectives, -i. A, V, V, 3, we introduce a new 
operator ? that binds pronoun variables. 

Contrary to approaches like Dynamic Predicate Logic (DPL, [GS91]) it is 
not assumed that pronouns are already resolved when constructing the semantic 
representation of a discourse. Given a formula (/p, we say that [(/p] is a function 
from subsets oi VAR (the set of variables) to subsets of VAR, where the argu- 
ment is the input context and the value denotes the output context or context 
contribution. The contextual contribution of a formula (/p is the set of variables 
that (/p adds to the input context. 

Definition 2 (Contextual Contribution). The contextual contribution of a 

formula (/p in CP^^ , [p], is defined recursively, as specified below. There, i is a 
subset of VAR. Note that [•] is partial, where [p]{i) is undefined whenever p 
contains pronouns that cannot be resolved against i. 



(i) 


• • )](0 


= 0 


(ii) 


N]{i) 


= 0, if[ip]{i) is defined 


(iii) 


[v A V'KO 


= \!P]{i)'Jbl’]{i'J[p]{i)) 


(iv) 


Vp Ai) 


= 0, if [p]{i) and [^]{i ^ [p](i)) defined 


(v) 


[p V V'](0 


= 0, if [p]{i) and [tp]{i) are defined 


(vi) 


[3xgpi) 


= As}uM(iU{xg}) 


(vii) 


[VXg r\ 


= 0, if [p]{i U {xg}) is defined 


(viii) 




= [p]{i), e i 



Here g, g^ E {she, he, it}, and [(/p](i) is undefined, i.e., there is no o such that 
[p]{i) = o, if the condition on the right hand side is not fulfilled. Undefinedness 
is preserved by set union: if [p]{i) is undefined, then [p]{i) U is not defined 
either, for any input i^ . 
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Let us briefly discuss the above definition. Atomic formulas do not add variables 
to the input context and the output context is the empty set. Negation behaves 
as a harrier. In (ii), the output context is 0, no matter what the output context of 
the formula in the scope of the negation is. Conjunction is totally dynamic: things 
introduced in the first conjunct can serve as antecedents for the second conjunct 
as well as for any later formula, and the output of the first conjunct contributes 
to the input of the second conjunct while the output of the second conjunct 
contributes to the output of the whole formula. The existential quantifier in (vi) 
adds the variable that it binds to the input context of its scope, but unlike the 
universal quantifier, it also adds the variable to the output context. In (viii), the 
pronoun operator is treated. It assumes that there is a variable y in the input 
context that agrees with x on gender. 

3.2 Contextual Information and Deduction 

Definition 2 explains how context flows through a sequence of formulas. As de- 
ductive methods such as the tableau method manipulate the structure of formu- 
las, we have to guarantee that the flow of contextual information is preserved 
by these manipulations. Our informal discussion below explains how we achieve 
this by introducing suitable labels on formulas; the formal details are postponed 
until Section 5. 



Threading Context. To resolve pronouns during deduction, it is necessary to 
keep track of the context against which a particular pronoun can be resolved. 
The context is not a global parameter because it can change while processing a 
sequence of formulas. To implement this idea, formulas will be annotated with 
contextual information of the form (i, o) : c/p, where i is the input context and o 
is the output context. 



Structure Preservation. One of the major differences between dynamic se- 
mantics and classical logics is the structural sensitivity of the former. As an 
example, whereas -i-k/p is classically equivalent to c/p, this does not hold in dy- 
namic semantics, because the output contexts of the formulas -i-k/p and c/p are 
not the same since negation functions as a kind of barrier. Consider (7): 

(i,0) : y 

(i, o) : -!(/? I (i U o, o^) : ^ 

Neglecting labels, (7) is the regular tableau expansion rule for implication. Com- 
pare this to the definition of the contextual contribution of the implication in 
Definition 2, where the input context of the consequent t/; consists of the union 
of the input context of the formula as a whole, c/p ^ t/;, and the set of con- 
tribution of the antecedent (f. Now in (7), will always equal 0, simply 

because negation functions as a barrier; as explained in Section 2. Therefore, 
the implication rule (^) has it was stated in (7) gives the wrong results. Of 




252 



Christof Monz and Maarten de Rijke 



course, the problem is that a negation sign has been introduced by a tableau 
rule, which is a violation of one of the major principles of deduction methods for 
natural language semantics, viz. preservation of structure. But this can easily 
be remedied by using signed tableaux, where each formula is adorned with its 
polarity. Reconsidering the tableau expansion rule for implication, we have to 
distinguish two cases: implication under positive and implication under negative 
polarity. 



(8) 



(i, 0 ,+) : y ^ -iA 

{i,o,-):lp (i Uo,o',+) : V' 



(+:-) 



(i,o,+) : Lp 
(i U o, — ) : 7/; 



Now, we can clearly distinguish between the truth-functional and contextual 
behavior of negation. Note, that both rules in (8) thread the context in a similar 
fashion even though their truth-functional behavior is different. 

The order in which we process sentences is important, as they may contain 
anaphoric expressions that are only meaningful if the context provides an ap- 
propriate antecedent. This is also mirrored in the tableau rules where the input 
context of some node depends on the output of another node. For instance, 
(i U o, — ) : 7/; depends on (i, o, +) : c/p. Observe that dependency does not only 
hold between formulas on the same branch, but can also occur between formulas 
on different branches, as exemplified by the rule (+ : — ^)- 



A Note on Unification. In Definition 2 contexts are defined as sets of vari- 
ables. Below we will be using a free- variable tableau method (cf. [Fit96]), and 
we have to think about the double role of variables in a deduction: they are car- 
riers of a value and possible antecedent for pronouns. Recall that in free- variable 
tableaux, universally quantified variables are substituted by a free variable and 
existentially quantified variables are substituted by a skolem function that de- 
pends on the free variables of the existentially quantified formula. 

Consider the following situation. In a tableau, there are two nodes of the 
form (i,o,p) : c/p(x) and ({x} : 7/;, where p, p' G { + ,— } and x is a free 

variable in p. If x is instantiated to a term t, then we have to substitute t for x in 
all formulas. But do we also have to substitute t for x in all context parameters? 
In our calculus presented in Section 5 below, the following solution is adopted: 
If t unifies with then t and denote the same entity in the model that we 
are implicitly building while constructing a tableau. If t is a possible antecedent 
for a pronoun z, then has to be a possible antecedent for z, too, since t and i! 
simply denote the same entity. Therefore, term substitution is applied to both 
formulas and contexts. 



Introducing Goodness. Up to now, labels adorning formulas carry two kinds 
of information: contextual information (i, o) and polarity information (+, — ). 
These parameters reflect the dynamic behavior of natural language utterances 
and the way in which context is threaded through a sequence of sentences. In 
addition, we have to account for a more general restriction on natural language 
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utterances. In the set-up that we have so far, if a pronoun Xg occurs in a context 
all variables that are members of i and agree on gender with Xg can serve as 
antecedents. Unfortunately, this is too liberal, as the following example shows. 

(9) A man sees a friend of his. He doesn’t see him or he is in a rush. 

The pronoun ‘he’ in (9) cannot refer to ‘a man’. Intuitively, this would seem 
violate some kind of consistency constraint. To put it differently, a pronoun 
Xg cannot be resolved to an antecedent yg if they carry contradictory informa- 
tion. Following [vD98], we call this restriction on possible pronoun resolutions 
goodness. Observe that goodness is a special case of a more general pragmatic 
principle like Grice’s maxim of quality^ cf. [Gri89]. 

How do we implement the notion of goodness in our calculus? The premises 
and the conclusion themselves should be consistent, as we assume that native 
speakers do not utter inconsistent sentences. In our calculus we will implement 
this idea by making an explicit distinction between the (original) premises and 
(original) conclusions of a tableau proof; we will mark the former with p and the 
latter with c.^ 

Summing up, then, the nodes in our tableau calculus will be labeled formulas of 
the form (i,o, ^,p) : (f. Here, i is the input context, o is the context contribu- 
tion of (/p, g e {p,c} indicates whether (f occurs as part of the premises or the 
conclusion, and p e {+, — } carries the polarity of p. 

4 The Semantics of Pronoun Ambiguity 

Before we introduce our tableau calculus for ^ we present its semantics and a 
notion of entailment for it. Starting with the latter, there are various possibilities. 
Following our discussion in Section 2, we opt for an entailment relation \=a where 
^tjj follows from c^i, . . . , if there is a disambiguation 0 of pi, . . . and a 
disambiguation 0^ of such that 0{pi , . . . , p^) \= This choice might lead to 

overdefinedness of some formula (/?, since it might be the case that M, h, i 1= 
for some disambiguation 6^, but M^hp ^ 0^{p)^ for another disambiguation 0^ . 

To be able to deal with this, we distinguish between verification (|=a) and 
falsification (Ha)* motivate this distinction, compare the sentences in (10). 

(10) a. It is not the case that he sleeps, 
b. He doesn’t sleep. 

Their semantic representations are formulas of the form ~^'^Xg p and 7xg -k/p, 
respectively. Intuitively, (10. a) and (10. b) have the same meaning, therefore it 
should be the case that ~^'^Xg p and 7xg ^p are logically equivalent. If we would 
try to set up a semantics for by simply using |=a, we would not get the 
desired equivalence of ~^'^Xg p and Ixg ^p: 

^ Readers familiar with abduction may find it helpful to compare this distinction to 
the one where, in abduction, one requires that explanations preserve the consistency 
of the premises; see [CMP93]. 
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(11) a. M,h,i \=a iff M,h,i 

iff M,h[xg/h{yg)],i for all yg e i 

b. M,h,i\=alxg^'p iff M,h[xg/h{yg)],i\=a^'p io^ some yg ei 
iff M,h[xg/h{yg)],i V for some yg € i 

The problem is that a semantics built up by using |=a interprets the ?-operator 
as a quantifier, which it is not. On the other hand, if we distinguish between 
verification and falsification, we get the desired equivalence: 

(12) a. M,h,i \=a ~''?Xg 'p iff M,h,i =\^lxgp 

iff M,h[xg/h{yg)],i =|^ p for some yg e i 

b. M,h,i\=a Ixg -np iff M, h[xg //i(j/g)] p\=^^p for some yg e i 
iff M,h[xg/h{yg)],i =|^ p for some yg € i 

In the following definition verification and falsification for the other boolean 
connectives are defined. 

Definition 3 (Semantics of Verification and falsification are defined, 

given a model M , a variable assignment h and a context i. ^45 usual, a model 
M = {U,T) consists of two parts: a universe U and an interpretation 2 of the 
non-logical constants. First, we are going to define the semantics of the terms of 
, Xg is a variable (possibly a pronoun) with gender g, Cg is a constant with 
gender g, and fg is a function with gender g, where g ^ {he, she, it} 

(a) = h{Xg) 

(b) 

(c) Ifgih ■ ■ ■ 

For formulas, \=a and =|^ can be defined recursively: 

(i) M,h,i K ■ ■ ■ ,fn) *if eI{R) 

M, h, i R{tl, ■■■, ^ I{R) 

(ii) M,hJ \=a iff M,hJ 

M , h, i =1^ —ip iff M , h, i |=(, p 

(Hi) M,h,i\=a '-P R'f iff M, h,i \=a p and [p]{i) |=a V' 

Ha ^ iff M,h,i Ha P or M,h,i^ Ha H 

(iv) M,h,i\=a'P^’>P iff M,h,i Ha R or M,h,i^ [H(H l=a H 

^ i’ iff M,h,i Ha P and M,h,i^ [H(H Ha H 

(v) M,h,i\=a iff M, h,i\=aP or M, h,i\=af 

M,h,i^^pVij iff M, /j, i Ha ^ V * Ha H 

(vi) M,h,i Ha 3xg(/9 iffSdeU: M,h[xg/d],i |=a P 

M,h,i Ha iffPdeU : M ,h[xg / <f,i Ha R 

(vii) M, h, i |=a Vxg p iff\/d<EU:M, h[xg/cf\,i |=a P 
V h, i Ha ^^'9 P iff eU : M, h[xg/d\, i =]„ P 

(viii) M,h,i |=a '^Xgp iff3yg e i : M,h[xg/h{yg)],i |=a P 
M, h, i Ha '^Xg p iff 3yg ei: M, h[xg/h{yg)] , i Ha ^ 
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Overdefinedness is induced by the ?-operator. It is possible that a formula 
containing a pronoun can be verified and falsified by a model M ; i.e., M, h, i \=a 
Ixg (f and M, /i, i =|^ 7xg (f. In addition, it might also happen that the semantic 
value of a formula (f is undefined. This is also due to (viii), where undefinedness 
results if there is no accessible variable in the context to which the pronoun could 
be resolved. In this case it holds that M, /i, i ^ and M, /i, i 7 ^^ 7xg (f. 

Thus, the resulting logic is four- valued containing besides truth (1) and falsity 
(0), overdefinedness and underdefinedness. This can be illustrated by a Hasse 
diagram, as in (13). 



(13) 



{ro} 



{ 1 } { 0 } 



0 



The sets denote the truth values that can be assigned to a formula. The singletons 
{ 1 } and { 0 } denote the classical truth values, 0 denotes undefinedness, and { 1 , 0 } 
denotes overdefinedness. 

Finally, we define a notion of ent ailment for sequences of formals that possibly 
contain unresolved pronouns. 



Definition 4 (Entailment in Let c/^i, . . . in ^ h an arbi- 

trary variable assignment, and i an arbitrary eontext We say that , . . . , 
ambiguously entail ^tp, written as c/^i, . . . , |=a 7 /;, if for all M : 

if for all j G {1, . . . ,n}: A-- - A<^j^i]{i) |=a fj 

then M,h,i \=a 

Pronouns occurring in ip are resolved against the context i which is also 
the context of the premises. Thereby, ^tp cannot pick antecedents introduced in 
the premises. Note, that there are several ways to define dynamic entailment 
relations and the one proposed is just one of them. [vB96, Chapter 7] classifies 
the entailment relation defined above as update-to- update eonsequence. Observe, 
by the way, that our notion of entailment is nonmonotonic, as most entailment 
relations in dynamic frameworks. 



5 A Tableau Calculus for Pronoun Resolution 

This section introduces our tableau calculus for reasoning with unresolved pro- 
nouns. The calculus consists of two components, a set of tableau expansion rules, 
and contextual parameters that allow us to interleave pronoun resolution and 
deduction steps. We first discuss the rules and then provide a short example. 
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5.1 The Tableau Expansion Rules 

To reason with pronoun ambiguities we use a tableau calculus that is both free- 
variable and signed. The first property is simply to avoid the inefficiency of 
ground tableaux. Free-variable tableaux are fairly standard and we will not say 
much about them here; the reader is referred to [Fit 96] instead. Signed tableaux 
are not new either, but here the signs are employed for a novel purpose. In Sec- 
tion 3, we motivated the distinction between negation in the object language 
(->) and polarities of tableau nodes (+, — ). This was necessary because -> has an 
impact on the flow of contextual information, and to guarantee structure preser- 
vation we do not want to allow tableau rules to introduce additional negations. 
In addition, a distinction between verification and falsification is important to 
assign the right semantic values to formulas containing pronouns. An occurrence 
of a node of the form + : (f means that (f is verifiable, which corresponds to |=a, 
and an occurrence of the form — : ip means that p) is falsifiable, corresponding 

to Ha- 



Table 1. The tableau rules for 



{i, o, g, +) : 

e,+)- V’ 

(iUo', 0 , g,+):ip 



(+: A) 



{i,o, g,-) : 



{i, o' , g, -) : ip I (iUo',0, : V' 



(-:A) 



(i,0, g,+) : (fVilj 



(i,o,g,+) : ip I {i, o' , g, +) : 

(i, <l>, g, +) : ip ^ Ip 

{i,o,g,-) : ip I (iUo,o',g,+) : 

{i, 0, e,+) : ^ip 



(+:v) 


(i,o, g,-) :ip 
[i,o',g,-) : Ip 




(i, ^,g,-)-.ip^ 


• (+:-) 


(i, 0 , g,+)-.ip 



(i,o, g,-) : ip 






(iUo,o',g,-) : V' 
(i,0, g,-) : ^ip 






(i,o, g,+) : ip 






(i, 0, g, +) : Vxg ip ^ {i, 0, g, -) : Vajg ip ^ 

(i U {ajg}, o, g, +) : ip[xg/Xg\ ^ ' (i U {ajg}, o, g, -) : ip[xg/fg{Xi . . . Xn)] 

{xg}, g,+) ■■ ^Xgp , {i,oU{xg},g,-) :3xgp 

(i\j{xg},o,g,+) : ip[xg / fg[Xi . . . Xn)] [i\J [xg},o, g,-) : p[xg/Xg\ 

(iU{tg},o, g,+) : Ixgip ^ (iU{tg},o, g,-) : Ixgp ^ 

(i\J [tg},o,g,+) : ip[xg/tl^°] ^ '' [i\J {tg}, o, g, -) : ip[xg ^ 

(i,o, ^,+) : R[si,...,Sn) 

{i',o',g',-)\ R{ti,...,tn) , 

1 (D* 

^ Where X\ . . . Xn are the free variables in <p and i. 

^If Q then {si, . . . , SnTi, • • • n PRO = 0 
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The complete set of tableau rules constituting our calculus for pronoun am- 
biguity, ^ is given in Table 1. The rules may seem somewhat overwhelming, 
but most of them are familiar ones. Remember that nodes are annotated by 
labels and are of the form : c/p, where i is the input context, o is the 

output context, which is computed by Q indicates the origin of the for- 

mula, whether it occurred as a premise (p) or a conclusion (c). Polarity is simply 
expressed by p, p G {+, — }. The way in which context is threaded through the 
tableau corresponds to the definition of contextual contribution, cf. Definition 2. 
Polarity assignment is done as defined in Definition 3. 

Given our earlier discussions, the expansion rules should be obvious, but 
some rules deserve special attention. Let us first discuss the pronoun rules (+ : ?) 
and (— : ?). First, the ?-operator is simply dropped, and the variable it binds 
is substituted by one of its accessible terms that agrees with the pronoun on 
gender. These instantiations are marked as pro, in order to distinguish them 
from argument positions that are no instantiations of a pronoun. The set PRO 
is the set of all marked terms. The superscript has no influence on unification of 
terms, it is just needed to constrain the closure of a branch to cases that obey 
goodness. 

Next, we consider the rules (+ : 3) and (— : V). Both rules involve skolem- 
ization, and the question is which influence pronoun variables have on skolem 
terms. Consider the node in (14). 

(14) {i,o,Q,+) :3xg7yg^(f 

In (14), applying the tableau expansion rule (+ : 3) will substitute Xg by a skolem 
function fg{Xi . . . A^), where Ai, . . . , A^ are the free variables in p. But what 
about ygX It does not occur free in p, because it is bound by the ?-operator, 
but it could be resolved to some in the context, which contains free variables. 
This dilemma is due to the order of application. First, skolemization is carried 
out, and then pronoun resolution. This leads to incorrectness. For instance, from 
^Xg 3ygf Izg R{zg,ygr) WO Can now derive 3p^/ Izg R{zg,ygr)^ which is clearly 
not a valid derivation. Here, Xg does not occur overtly in R{zg,ygf)^ but Zg can 
be resolved to Xg. To fix this, skolemization does not only have to depend on 
the free variables occurring in formulas, but also on the free variables occurring 
in the terms of the input context since pronouns can be resolved to these terms. 

Finally, (_L) carries the proviso that two literals of distinct polarity, where 
both originate from the premises (marked p) or both originate from the conclu- 
sion (marked c), do not allow to close a tableau branch if they contain pronoun in- 
stantiations. This allows us to encode goodness into the tableau calculus, saying 
that pronouns can only be resolved to antecedents that do not carry contradic- 
tory information, as exemplified by (9). It ensures that the premises themselves 
and the conclusion on its own are interpreted consistently. But of course, it is 
still possible to derive a contradiction from the combination of the former with 
the negation of the latter. 
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5.2 An Example 

Given a two-sentence sequence A man sees a hoy. He whistles^ we want to see 
whether we can derive A man whistles. The semantic representation of the 
premises is given by the first two nodes, and the negation of the conclusion 
is given by the third node. The corresponding proof is displayed in Table 2. 



Table 2. A Sample Proof in 
(0, oi, p,+) : 3xhe {man{xhe) A 3yhe {hoy(yhe) A see{xhe,yhe))) 

I 

(oi, 02, p, +) : whistle{zhe) 

I 

(0, 03 ,c,— ) : 3uhe {man{uhe) A whistle{uhe)) 

Ol ■- {/fee} 

i{fhe},0i,p,+) : man{fhe) A 3 yhe {boy{yhe) A see{fhe,yhe)) 

I 

^ - -{{fhe},{fhe},P,+) ■■ man{fhe) 

I 

/ ({Ae}, Ol, p,+) : 3 yhe {boy{yhe) ^ see{fhe,yhe)) 

/ 

/ Ol ■- Ol \J {Ohe} 

/ 

' ({Ae, 5 ^^e}, 04 ,p,+) : boy(ghe) A see{fhe,9he) 

I 

({Ae,5^^e},0, P,+) : boy(ghe) 

I 

{{fhe,9he},^, P,+) : see{fhe,ghe) 

I 

({Ae,5^^e},0, P,+) : whistle(ghe) ■ - - ^ _ 

O 3 •— {fAe} 

({^A^e}, 03 ,c, -) : man (Uhe) A whistle (Uhe) 



{{Uhe}, 0, C, -) : man{Uhe) 

I 

({Ae,5^^e},0, P,+) : whistle(fhe) 

03 := 03 U {Vhe} 
({Gie}, 03 , C, -) : man(Vhe) A whistle{Vhe) 



({?Ai^e},0, c, -) : whistle{Uhe) 

T \^Uhe/ 9he^ 



({VAe}, 0,c, -) : man{Vhe) ({ITe}, 0, c, -) : whistle(Vhe) 

±{Vhe/fhe} ±{Vhe/fhe} 



First, we try to resolve the pronoun to 9he- This allows us to close the right- 
most branch, with mgu {U he/ 9 he}- But then there is no contradictory node for 
0, c, — ) : man{9he)- Hence, we apply pronoun resolution again, and this 
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time resolve it to fhe- Next, universal instantiation is applied with the new free 
variable Vhe- Now, all remaining branches can be closed by the mgu {Vhe/ fhe}- 
In Table 2, the pairs that allow to close a branch are connected by a dashed line. 

The threading of contextual information may seem a bit confusing, but it 
is hard to display the dynamics of the instantiation of the context variables on 
‘static’ paper. It may be helpful to read the tableau rules in Table 1 as Prolog 
clauses, where the context variables of the parent of a rule unify with the context 
variables of the node the rule is applied to. 



6 Results 

The tableau calculus has a number of advantages over a resolution-based 
approach to pronoun resolution, as provided in [MdR98b]. First of all, it is pos- 
sible to interleave the computation of accessible variables with deduction, since 
preservation of structure is guaranteed in our signed tableau method. This is 
not possible in resolution, because it is assumed that the input is in conjunc- 
tive normal form, which destroys all structural information needed for pronoun 
binding. Accessible antecedents can only be computed by a preprocessing step, 
cf. [MdR98b]. 

But the major advantage is that no backtracking is needed if the choice of an 
antecedent for a pronoun does not allow us to close all open branches; we simply 
apply pronoun resolution again, choosing a different antecedent. Of course, more 
has to be said about controlling proof construction than we have room for here. 
For instance, one would like to prevent the proof method from choosing again 
an antecedent for a pronoun that did not allow to close some branches. This can 
be accomplished by some simple book keeping about the antecedents that have 
been used before. 

has been implemented in Prolog, and is based on lean'i^ [BP95,PSar], 
a well-known depth- first theorem prover for classical first-order logic. It is slightly 
adapted for our purposes, where we dispense with the assumption that the input 
is in negation normal form as this violates the principle of structure preserva- 
tion. Of course, this adaption results in a less lean, but still rather efficient 
theorem prover. The Prolog implementation of is available online at 

http : //www.wins . uva.nl/^christ of /implementations .html. 

To conclude this section, let us turn to a brief discussion of soundness and 
completeness of . There are at least two strategies for establishing soundness 
and completeness. Of course, one can follow a direct strategy: prove soundness 
by in the traditional manner, and prove completeness by using the ‘classical’ 
completeness proof for free variable tableaux based on Hintikka sets is adapted. 
Here, we sketch an indirect strategy that consists in reducing the soundness and 
completeness of to the soundness and completeness of a traditional free- 
variable tableau calculi for first-order logic, The basic intuition is the 

following: by analyzing tableaux for one can extract pronoun resolutions 

that can be used to help preprocess ambiguous formulas and turn them 
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into traditional first-order formulas, while preserving enough information about 
satisfiability. 

Theorem 5 (Soundness of If a closed tableau can he generated from 

r = {(0,0, p,+) : ,c,~) : t /;}, where ^ , then 

(^ 1 , . . . , \^a 

Proof. Given a closed tableau T for T, the pronoun instantiations 
that led to the closure of the branches of T are collected. Then, we relate 
the instantiations to the pronoun variables {xi . . . Xm} that introduced them 
by an application of (+ : ?) or (— : ?). As are free variables or 

skolem terms, we identify the quantifier variables {yi . . . ym} that introduced 
(ti . . .tm}- This yields two substitution of the form 0 = {xi/yi . . -Xj/yj} and 
0^ = {xj^i/yj^i . . .Xm/ym}^ where 0 disambiguates the pronouns occurring in 
the premises, and 0^ disambiguates the pronouns occurring in the conclusion. To 
ensure that substituted variables are classically bound, we apply a re- bracketing 
algorithm which is used in dynamic semantics, in order to relate dynamic se- 
mantics to classical logic, cf. [GS91]. To illustrate the process of re- bracketing, 
it allows us to replace a dynamic formula such as 3x<^{x) A t/;(x) by its classical 
counterpart 3x{ip{x) A More generally the re- bracketing algorithm may 

be specified as follows: 

Definition 6 (Re-bracketing). Every dynamic formula can he translated to 
a formula of classical first-order logic. In [GS91] a function b is defined that 
accomplishes this, b is defined recursively: 

1. bR{ti . . . tn) = R{ti ...tn) 

2 . b-i(/p = ->b(/p 

3. b((/Pi V ^p2) = b(/?i V b(/?2 
b3x ip = 3xbip 

5. bVx (f = \/xb(p 

6. b((/3i A <~p2) = 

(a) b(V>i A (V '2 A 992 )) iffi = V’l AV ’2 

(b) 3x b{'il) A (/P 2 ) if (f I = 3x 

(c) b<pi A b<p 2 otherwise 

7. b{(pi (p2) = 

(a) bpipi ^ {^p 2 P 2 )) if A ^p 2 

(h) Wx b{^tp ^ (f 2 ) if =3xtp 
(c) b<pi b<p 2 otherwise 

Re-bracketing can be applied, because pronoun variables are always substi- 
tuted by quantified variables that are accessible in the sense of Definition 2, 
which is based on the notion of accessibility in dynamic semantics, see e.g., 
[KR93,GS91]. 

Then, a closed tableau for c/?i, ..., in g^y^g ^.^g^ closed 

tableau for c/p{, . . . , - 17 /;^ in by the soundness of where c/p{, . . . , 

is the result of applying 0 and re-bracketing to c/^i, . . . , (pn^ and results 
from applying 0' and re-bracketing to ^'ip □ 
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Theorem 7 (Completeness of If an open tableau can he generated 

from r = {(0,0, p,+) : /\k=i ^k, o" ,c, -) : V’}, where ipi, ipn, ip e 
then (fi, (fin V'- 

Proof. If r is consistent in ^ then it may be shown that for all admissible 
pronoun resolutions 0, the set 6 ^c/Pi, is consistent in . 

Obviously, we neeed to get rid of ambiguous formulas involving the ?-operator. 
when moving from to but this is what the admissible pronoun 

resolution does for us. By the completeness of (see [Fit96]), we get that 

6^(/Pi, is (classically) satisfiable, for any admissible 0, 0^ . Hence, 

(/?i, . . . , (fn^ is satisfiable according to |=a, as required. □ 



7 Conclusions 

In this paper, we have proposed a tableau calculus that tries to tackle an instance 
of a particularly important and difficult task in computational semantics: auto- 
mated reasoning with ambiguity. A tableau calculus that allows one to interleave 
disambiguation and deduction has been proposed to overcome the problem of 
state explosion one inevitably runs into if theorem proving is applied to naively 
disambiguated semantic representations. 

To enable on-the-fly disambiguation during proof development, it is necessary 
that enough structural information of the original representation is preserved. 
In the case of pronoun resolution this structural information is needed to define 
which variables can serve as antecedents for pronouns. The nodes in the tableau 
were adorned with labels containing this additional contextual information. 

It turned out that tableau methods are especially well-suited for reasoning 
with natural language semantics, since they are analytic (in contrast to Natural 
Deduction), and they allow for a more sensitive manipulation of the syntactic 
structures of the formulas (in contrast to resolution methods). See, for instance, 
[KK98,MdR98c] for other applications of tableau methods in the area of com- 
putational semantics. 

Future work will be devoted to extending our tableau calculus to more com- 
plex cases of anaphora resolution, like presuppositions, or plural pronouns, where 
contextual information has to contain more structure than just lists of accessible 
terms. At the same time, it has to be investigated how a more comprehensive 
framework that allows to reason with different kinds of ambiguity can be set up. 
We plan to combine our tableau calculus for pronoun resolution with some of 
our earlier work on reasoning with quantificational ambiguity, cf. [MdR98c] . 
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Abstract. This paper presents a way to improve minimal model gener- 
ation for clausal theories. It works by breaking up the model generation 
process into several steps according to several parts of the given the- 
ory. It is shown that elimination of non-minimal or duplicate models can 
be performed after each step, which reduces the overall search space. An 
even stronger reduction of the search space is possible if we are interested 
only in certain parts of the models to be generated. 

The techniques are applicable to any method for the generation of mini- 
mal Herbrand models. The paper goes into some detail how they can be 
integrated tightly into the PUHR tableau method. 



1 Introduction 

Vaxious methods for generating models of logic theories have been developed 
and described in the literature. Some of these methods (e.g., [7,4,9]) actually 
generate Herbrand models for clausal theories. Herbrand models are known to 
exist for a clausal theory if the theory is satisfiable at all. The restriction to Her- 
brand models has the advantage that the interpretation of the function symbols 
is fixed and thus only the interpretation of the predicate symbols needs to be 
determined. 

Frequently it is desirable that the generated Herbrand models are minimal, 
i.e., there should not be another Herbrand model that satisfies only a subset of 
the ground atoms satisfied by some generated Herbrand model. Non-monotonic 
reasoning is one important appH cation of minimal models. Another reason for 
dealing with minimal models is that further processing steps appHed to the gen- 
erated models are typically more efficient for smaller models. This is especially 
important if these processing steps are carried out by humans. In diagnosis ap- 
plications a generated model should be as small as possible so that it represents 
a diagnosis as precise as possible [8]. 

This paper introduces two refinements that can be applied to various meth- 
ods for generating minimal Herbrand models of clausal theories. For the first of 
these refinements we divide a clausal theory Th into parts T^i, • • • ; Thn^ 
Now we generate minimal Herbrand models step by step. First we generate the 
minimal Herbrand models of Thi, Then we try to extend each such model yield- 
ing Herbrand models of T ^2 and we select the minimal ones. This procedure is 
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repeated until we reach Thn- Under certain conditions the models that we have 
finally generated are just the minimal models of Th, Model generation methods 
like the PUHR-tableau calculus and its variants [7, 4] do not only generate the 
minimal Herbrand models of a theory but also some non-minimal ones. A model 
may also be generated more than once. Special measures (which are sometimes 
considered part of the model generation method) have to be taken in order to 
remove non-minimal models and duplicates. The first refinement has the advan- 
tage that it allows to apply these measures early and frequently, namely after 
each step dealing with a Thi, This reduces the number of intermediate results 
and thus makes the further process more efficient. 

For the second refinement note that we are usually not interested in an 
entire model, but only in its “relevant” paxts. That is, we want to know how 
certain ground atoms are interpreted, but we don’t care about others. We also 
want to minimize models w.r.t. the relevant atoms. That is, we are interested in 
models that satisfy as few as possible of the relevant ground atoms. Diagnosis 
applications are important examples here: We are interested in and want to 
minimize w.r.t. only those atoms that describe the diagnosis itself, but not those 
atoms that describe other details of a system state. It turns out to be possible 
to perform a restriction to the relevant parts of generated models after each 
step, i.e., after model generation for one of the Thi has been performed. Two 
models that are not comparable (i.e., none is a subset of the other) may become 
comparable or even equal after the restriction to relevant parts, which then 
allows to eliminate one of them. So the second refinement allows us to prune the 
search space even more. 

In order to get a better intutitive understanding of these ideas consider a 
clausal theory Th consisting of the clauses 

Pi 

Pi ^ qt,i ''Z • • ■ ''Z qi,m for i e {1, . . . , n} 

qi,j Pi+i for i e {1, . . . , n} and j € {1, . . . , m} 

and assume that we are interested only in Pn+i* 

A naive method would generate minimal Herbrand models, each of which 
satisfies all the pi for i G {1, . . . , n + 1} and some qi^j^ for every i G {1, . . . , n}. 
In particular, every generated model satisfies Pn+i; which we were interested in. 

Now we divide Th into subsets TAi, . . . , Th^, in such a way that every Thi 
contains the clauses of the form pi qi^i V ... V qi^^ and qij Pi+i with 
the respective value of i. In addition, Thi contains pi. The step-by-step model 
generation proceeds as follows: For Thi we get several models of which those m 
models that satisfy only pi, p 2 and one of the qij are minimal. For our further 
computation we are only interested in p 2 ^ which is satisfied by all generated 
models. We now generate models of Th 2 which also satisfy p2- We do this only 
once and need not repeat it for all generated models of Thi, Among the generated 
models there are again m minimal ones, namely those that satisfy only p 2 ^ pa 
and one of the We perform similar steps for Thg, to Th<^, In the last step 
we get again m models, each of which satisfies Pn+i- The number of minimal 




Generating Minimal Herbrand Models Step by Step 265 



models generated in all steps is now only n ^ m. Furthermore the models are a 
lot smaller than the ones generated by the naive method. 

The rest of the paper is organized as follows. The next section introduces 
terminology and notation and also recalls results about the structure of the set 
of Herbrand models of a clausal theory. In Section 3 the main result of this paper 
is derived, namely that step-by-step model generation is correct under certain 
conditions. We will see how these results can be appHed to the PUHR tableau 
calculus in Section 4. Section 5 concludes the paper with some considerations 
about related and possible future work as well as a practical application area. 



2 Preliminaries 

Even though the reader is expected to be familiar with basic notions of set theory, 
first order logic, and logic programming, this section repeats some definitions in 
order to introduce the notation of this paper and to fix some notions that are 
not always used with the same meaning. It also introduces some simple notions 
that are not in general use. 



2 1 Partial Orders 

We will need some properties of the subset relation when we compare Herbrand 
interpretations. These properties actually hold and are formulated here for an 
arbitrary partial order 

Definition 1* Let ^ be a binary relation on a set M and let H C M. Then 

minc(iJ) := {m ^ H \ h Q m implies h — m for all h ^ H} 
expQ(iJ) := {x ^ M \ h ^ X for some h ^ H} 

If Q is a partial order^ then the elements o/minc(iJ) are the minimal elements 
of H w.r.t. E* E least reflexive^ then expQ(iJ) is a superset of H ^ which 
gave rise to the operation name ^^exp for expansion. O 

The following two lemmas about the operations min^ and exp^ hold trivially: 

Lemma 2. Let Q be a partial order on a set M and let H be a subset of M . 
Then mine (exp Q(iJ)) =minc(iJ). 

Lemma 3. Let he a partial order on a set M and let H be a subset of M 
such that for every h ^ H there is a minimal element m of H with mQh. Then 
exp Q (mine (iJ)) = exp|™(iJ). 

Definition 4. Let Q be a partial order on a set M. 

— A subset K of M is a chain w.r.t. Q if k Q or Q k holds for all 
k,¥ e K. 
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— A subset H of M is chain-complete w.r.t. ^ if for every non-empty chain 
K C H w.r.t. 1^ the greatest lower bound ini^K exists and is an element 
ofH. ~ 0 

Notice that without the restriction to non-empty chains, chain- completeness 
would have been dual to the notion of a complete partial order as it is used in 
domain theory. We will use the following variant of Zorn’s Lemma: 

Lemma 5, Let Q be a partial order on a set M and let H C M be chain- 
complete w.r.t. Then for every h ^ H there is a minimal element m of H 
with m 1^ h. 



2 2 First Order Logic, Clauses, and Herbrand Interpretations 

Disjunction and conjunction will be considered to be associative, commuta- 
tive, idempotent, and with neutral elements. Conjunctions and disjunctions bind 
stronger than implications. Ground clauses will be denoted equivalently in dis- 
junctive form^ i.e., as a disjunction of literals (atoms or negations of atoms) or 
in implication form^ i.e., as an implication with a conjunction of atoms as its 
antecedent (the body) and a disjunction of atoms as its consequent (the head). 
A unit clause consists of a single Hteral. The empty clause is the neutral element 
± of the disjunction, i.e., the falsity. 

We will assume a first order language to be given with some fixed set of 
predicate and function symbols that does not depend on the set of symbols 
actually used in some theory. The Herbrand base^ i.e., the set of all ground 
atoms of this language is denoted as T-LB. As usual in logic programming, an 
Herbrand interpretation is identified with the set of ground atoms it satisfies. 
The set of Herbrand models of a theory Th is denoted as Ad(T^). The set of 
minimal Herbrand models is A4^in{Th). We will implicitly rely on the fact that 
an Herbrand interpretation satisfies a set C of clauses iff it satisfies all ground 
instances of clauses in C. 

We will also use some properties of ground resolution [12]. Let C = AV R and 
= -A V he ground clauses with an atom A. Then C and are resolvable 
and the result of a ground resolution step applied to C and is the resolvent 
R V R\ Ground resolution is known to be sound and refutation- complete, i.e. 

— If an interpretation M satisfies two resolvable ground clauses C and C\ then 
M also satisfies the resolvent of C and (7^ 

— If a set C of ground clauses is unsat isfiable, then the empty clause can be 
derived from clauses in C by a finite number of ground resolution steps. 

Corollary 7 below has been shown by Seipel et al. [13]. The central step of 
the proof is presented separately here as Lemma 6 because it will also be used 
for another result. 

Lemma 6. Let Th be a clausal theory. Then Ai{Th) is chain- complete w.r.t. 
the subset relation. 
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By applying Lemma 5 to Lemma 6 we get: 

Corollary 7 (Existence of Minimal Herbrand Models). Let M be an Her- 
brand model of a clausal theory Th. Then there is a minimal Herbrand model 
M' of Th with M' CM. 

3 Step-by-Step Model Generation 

In this section we see how mo del- generation procedures can be refined in such 
a way that they generate models step by step along a sequence of subsets of 
the given theory. For most of this section, however, we consider only two steps. 
Theorem 19, the central result of this paper, will say how a model generation 
process for a theory Thi U T^2 can be divided into two steps corresponding to 
the two theories Thi and T^ 2 . The restriction to relevant atoms is propagated 
to the individual steps. This result is then easily extended to the general case by 
induction. Proofs for some of the simpler lemmas have been omitted for space 
reasons. 

The division of a theory into parts must have the property that earlier steps 
do not depend on later steps. This can be formulated as a syntactic criterion as 
follows: 

Definition 8. Let Thi <^'^d Th 2 be clausal theories. Thi independent from 
T^ 2 j written Thi ^ Th 2 ^ if no body atom from Thi unifiable with a head 
atom from T^ 2 - O 

The following two lemmas are related to the notion of independence. Lemma 10 
will be used in a chain of equations in the proof of Theorem 19. 

Lemma 9. Let M be a minimal Herbrand model of the clausal theory Th. Then 
every atom A ^ M is a ground instance of a head atom from Th. 

Proof. Assume there were an atom A G M that is not a ground instance of 
a head atom in Th. This contradicts the minimality property for M, because 
M \ {A}, which is a proper subset of M, would then also be a model of Th: 
Consider an arbitrary ground instance Bi — ^ ^ Hj of a clause in such 

that all the Bi occur in M \ { A}. So the Bi also occur in M. Since M is a model 
of and thus of our clause instance, some Hj occurs in M. Since A is not a 
ground instance of a head atom in Th^ we get Hj G M \ {A}. □ 

Lemma 10. Let Thi <^'^d Th 2 be clausal theories with Thi T^ 2 - Then 
expc(expc(Af(T^i)) n7U(T^2)) = expc(M( T^i) H 7U( T^2))* 

Proof. An Herbrand interpretation J is an element of the left hand side of 
the equation iff (L) there are Herbrand interpretations Li and L 2 such that 
(LI) Li 1= T^i, (L2) Li C L 2 , (L3) L 2 |= (L4) L 2 C J. J is an element 

of the right hand side iff (R) there is an Herbrand interpretation R such that 
(Rl) R 1= T^i, (R2) R 1= T^ 2 , and (R3) R C I, 
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“(L) ^ (R)”: Note that we can consider Li not only as an Herbrand inter- 
pretation but also as a (ground positive unit) clausal theory, and that by (L2) L 2 
is a model of Li. With (L3) we get that L 2 |= TA 2 ULi.By Corollary 7 there is a 
minimal Herbrand model Li ^2 Th 2 ULi with Li ^2 Q -^ 2 - We choose R := Li^ 2 * 
Now (R3) holds immediately and (R2) follows with (L4). (Rl) is shown as fol- 
lows. Consider an arbitrary ground instance f\^Bi \J of a clause in Thi 
with Bi G Li ^2 foT all i. Because Thi T^ 2 , none of the Bi occurs as a head 
atom in T^ 2 - So by Lemma 9 all the Bi must occur in Li. Since by (LI) Li is 
a model of our clause instance, it must also contain one of the Hj, So this Hj is 
also an element of Li^ 2 * 

“(R) ^ (L)”: We’choose h := R and L 2 := R. Now (LI), (L3), and (L4) 
hold by (Rl) to (R3). (L2) holds trivially. □ 

Before we deal with the second refinement of model generation procedures, 
namely the restriction of models to a set Q of relevant atoms (which may be 
considered a query to the theory), a syntactic counterpart to this restriction is 
introduced, namely the restriction of ground clauses to relevant atoms. 

Definition 11, Let C he a ground clause and Q a set of ground atoms. Then 
Cq denotes the clause that we get from C hy removing all literals with atoms 
not occurring in Q. O 

So obviously C = Cq V for every ground clause C. Furthermore 

C = Cq if and only if C'^j^\^q is the empty clause. Definition 11 is actually only 
needed within the proof of the following proposition, which is a central step in 
the argumentation of this paper: 

Proposition 12. Let Th be a clausal theory and let Q be a set of ground atoms. 
Then there is a ground clausal theory ThQ such that 

1. all atoms in the clauses of ThQ are elements of Q, 

2. ThQ is a logical consequence of Th^ and 

3. for every Herbrand model M of ThQ there is an Herbrand model of Th 
such that C] Q = M C] Q. 

Proof. Define ThQ and an auxifiary theory Th^ as: 

Th^ := {C I C can be derived from ground instances of clauses in Th 
by a finite number (possibly zero) of resolution steps.} 

ThQ :={C \ C e Th^ and C = Cq}. 

Obviously item 1 of the proposition holds. Item 2 is an immediate conse- 
quence of the soundness of ground resolution. For the proof of item 3 consider 
some Herbrand model M of ThQ. We need two more auxiliary theories: 

enforceg(M) := (M C\ Q) U {A ^ ± \ A ^ Q \ M} 

ThM,Q •= enforceg(M) U {C'^]^\q \ C G Th^ and M ^ Cq} 

We will see below that ThM,q is satisfiable. Since an Herbrand model is known 
to exist for any satisfiable clausal theory, there is an Herbrand model of 
ThM,Q^ It has the required properties: 
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— C\ Q = M C\Q: This is an immediate consequence of |= enforceg(M). 

— 1= Th: Consider some ground instance (7 of a clause in Th, li Cq is 
satisfied by M, then Cq is also satisfied by because of r\Q — M C] Q, 
Otherwise C'^b\q is an element of THm.q and is therefore satisfied by 

So in either case C — Cq V is satisfied by 

The satisfiability of THm^q follows by the refutation completeness of ground 
resolution from the facts that (a) THm^q does not contain the empty clause and 
(b) THm^q is saturated w.r.t. ground resolution: 

(a) Assume the empty clause were in It cannot be an element of enforceg(M) 

because this set consists entirely of unit clauses. So there must be some clause 

C ^ Th^ such that M ^ Cq and C^b\q is the empty clause. The latter 
condition means that C = Cq, Therefore (7 G Thq and thus M \= C, Us- 
ing the fact C = Cq again we get M |= (7g, which contradicts the above 
condition M ^ Cq, 

(b) Consider two resolvable clauses AV R and in where A is a 

ground atom and R and R are disjunctions of ground literals. We will see 
that R y R is in ThM,Q> 

A cannot be an element of Q because in THm^q the atoms from M D Q do 
not occur in negative fiterals and the atoms from Q \ M do not occur in 
positive literals. Therefore the two clauses are not in enforceg(M). 

So there are clauses (7, C^ G Th^ with C'^b\q = A V i?, ~ ^ 

M ^ (7q, and M ^ (7^. The clauses C = AVRVCq and C^ = ^AvRvC^^ 
can be resolved to C^ := RV CqV R V Cq, This resolvent is in Th^ because 
TA+ is saturated w.r.t. resolution. Since none of the atoms of R and R^ are 
in Q, we get Cq = Cq V Cq, From M ^ Cq and M ^ Cq we conclude 
M ^ Cq, Therefore ThM,q contains ^ ^ □ 

It is not intended to actually compute Thq^ which will frequently be infinite 
even for finite Th, Its existence is needed only for theoretical purposes. 

Now we come to the semantic aspects of the notion of relevant atoms. In the 
following definition a parameter Q providing the set of relevant atoms is added 
to A4 and A4 min- Another parameter X is intended to provide the set of minimal 
models (or their relevant parts) generated by the previous model generation step. 

Definition 13. Let X be a set of Herbrand interpretations ^ Q a set of ground 
atoms^ and Th a theory. Then 

restrg(X) := {J H Q | J G X} 

M{Th,Q) :=Testvq{M{Th)) 

AI(X, Th^Q) := restrQ(exp(^(X) H M{Th)) 

Mmin{Th^Q) := nnnc{M{Th^Q)) 

Mmin(^, Th^ Q) := minc(AI(X, Th^ Q)) 

An element o/ Q) is an answer to the query Q w.r.t. Th. An element of 
^min{Th.^Q) is a minimal answer to Q w.r.t. Th. O 
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From an operational perspective, we might generate Th^ Q) as fol- 

lows. We start with the elements ofX and extend them to models of Th. Among 
all the possible models we generate only those that are minimal w.r.t. Q and we 
actually restrict them to Q, 

The following lemma helps to transfer properties of sets of Herbrand models 
to sets of answers. 

Lemma 14, For a clausal theory Th and a set Q of ground atoms there is a 
ground clausal theory Thq with all atoms in Q such that 

M{Th,Q) =M{ThQ,Q), 

Proof. Let Thq be as given by Proposition 12. □ 

The property that we actually want to transfer from sets of Herbrand models 
to sets of answers is the chain- completeness property from Lemma 6: 

Lemma 15. For a clausal theory Th and a set Q of ground atoms the set 
is chain- complete. 

Proof. We may assume that TA is a ground clausal theory all atoms of which 
are in Q, because otherwise we can replace Th by an appropriate theory Thq 
according to Lemma 14. 

For every I € A4(T^,Q) there is a model Mj of Th with Mj D Q = I. 
Consider an arbitrary ground clause f\^Bi \f j Hj in Th with all Bi in J. 
Thus all Bi are in Mj and since Mj is a model of Th^ some Hj must also be 
in Mj. Since all the atoms of Th are in Q, Hj is in Mi C] Q — I. Thus every 
I € A4( Q) is a model of Th^ and therefore Mi^Th^Q) C A4( Th). 

Now consider a non-empty chain K C A4(T^,Q). By our considerations 
above K is also a non-empty chain in A4{Th). So by Lemma 6 the greatest lower 
bound Pi XI of XI is in Ad ( T^). Thus Ad( Q) contains p| XI H Q, which is equal 
to Pi XI because XI has at least one element, which is a subset of Q. □ 

In a way similar to Corollary 7 we can now apply Lemma 5 to Lemma 15 
and get the following corollary: 

Corollary 16 (Existence of Minimal Answers). Let I be an answer to a 
query Q w.r.t. a clausal theory Th. Then there is a minimal answer V to Q 
w.r.t. Th with V C I . 

For the chain of equations in the proof of Theorem 19 we need two more 
lemmas, which can be proved in a style similar to Lemma 10, but without refering 
to any of the results above. 

Lemma 17. Let X he a set of Herbrand interpretations^ Th a clausal theory^ 
and Qi and Q 2 sets of ground atoms such that Q 2 Q Qi and every body atom of 
Th is in Qi. Then 

restrQ2(exp(™(X) D M{Th)) = restrQ2(exp(™(restrg^ (X)) D M{Th)). 




Generating Minimal Herbrand Models Step by Step 271 



Lemma 18 . Let X be a set of Herbrand interpretations and Q a set of ground 
atoms. Then 

exp(™(restrg(exp(™(X))) = exp(™(restrg(X)). 

Now we have all the auxiliary results necessary to prove the main result for 
model generation in two steps: 

Theorem 19 (Compositionality). Let Thi and Th2 be clausal theories with 
Thi X^2 and let Qi and Q2 be sets of ground atoms such that Qi X Q2 and 
Qi contains all the body atoms of Th2- Then 

M 

min [Thi U T^2;Q2) = ^ min (M min (Thi, Qi), Th 2 , Q 2 ) 

Proof. 



(Lemma 2) 
(Lemma 18) 
(Lemma 10) 
(Lemma 18) 
(Lemma 2) 
(Lemma 17) 

(Lemma 3) 



M 

min ( Thi U X^2, Q2) 

= minc(restrQ2(-^( ^ X^2))) 

= minc(restrQ2(-^(^^i) ^ Ad(X^2))) 

= minc(exp(™(restrQ 2 (Ad(XAi) H M{ XA2)))) 

= minc(exp(^(restrQ2(exp(3(Ad( Thi) ^ M{Th2))))) 

= minc(expg(restrQ3(expg(expg(Ad(X^i)) H M{Th2))))) 

= minc(exp(^(restrQ2(exp(3(Ad( Thi)) ^ M{Th2)))) 

= mine (restrg^ (exp (-(Ad(T^i)) H M{Th2))) 

= minc(restrQ 2 (expe(restrQ^(Ad(X^i))) H M{Th 2 ))) 

= minc(restrQ 2 (expe(Ad(T^i, Qi)) H M{Th 2 ))) 

= mine (restrQ 2 (expg (mine (Ad (XAi, Qi))) ^ Ad(X^ 2 ))) 

= Ad 

min (M 

min ( Thi, Ql ), Th2^ Q2) 



Lemma 3 may be applied here because its condition is satisfied according to 
CoroUary 16. □ 

By induction with Theorem 19 we immediately get the main result for model 
generation in an arbitrary finite number of steps: 

Corollary 20. Let ^Thi, . . . , T^hj^ (Vi> 7^ 1^ be clausal theorzes u)zth T^h^ T^hj 
for i ^ ctThd id 1 . j ' ' ' j Tt- ssts ^T^'U/Tidi such th(ti wfid 

Qi contains all the body atoms of Thi-^i U . . . U Thn- Then 

Mm,n{ThiU...U Thr^,Qn) = 

M 

min {...M 

min (M 

min (Thi,Qi), X^2, Q2) • • • , Thn, Qn) 



4 Integration into the PUHR tableau calculus 

After a brief revision of the PUHR tableau calculus in Section 4.1, Section 4.2 
will explain informally how this calculus can be improved by applying it in a 
step-by-step manner. 
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4.1 PUHR Tableaux 

PUHR tableaux [4] for a clausal theory Th are constructed from an initial tableau 
consisting of a single empty branch by repeated application of the inference rule^ 

Bfyi A ... A BfYi — y Hi V ... V Hfi is a 

Hi i?2 Hn gJ^ound instance of a clause in Th, 

^Hn-1 ^Hn 

That is, if a branch Br contains all the body atoms of some ground instance C 
of a clause in with n head atoms, then Br may be split into n branches, each 
of which is extended by one of the head atoms iJj of C. In addition, an extended 
branch also contains the complements of the head atoms Hj with j > i, 1£ C 
has no head atoms (i.e., ri = 0), then the branch is closed, A branch is also 
considered closed if it contains an atom and its complement. PUHR tableaux 
satisfy a regularity condition that forbids the application of a ground clause C 
to a branch Br if Br already contains some head atom of (7. A branch that is not 
closed is open. An open branch Br is saturated if for every ground instance C of 
a clause either some body atom of C does not occur in Br or some head atom of 
C does occur. A PUHR tableau is saturated if every open branch is saturated. 

Example 21. A saturated PUHR tableau for the theory {aVfeVcVdVe, a — /, 
h — y c, c — y f ^ d — y c, e — y /} is 



^ 

I 

/ 



where “ — ” marks a closed branch. O 

A branch of a PUHR tableau is frequently identified with the set of positive 
ground atoms along the branch, and thus with an Herbrand interpretation. A 
saturated PUHR tableau T for a theory Th has, among others, the following 
properties [4]: 

1. Every open branch of T is an Herbrand model of Th, 

2. Every minimal Herbrand model of appears as an open branch of T, 

^ We use the variant of PUHR tableaux with ^‘complement splitting”. 
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3. If two models M and with M C are represented by branches, then 
the branch for M appears to the left of the branch for 

According to properties 1 and 2, PUHR tableaux can be used as a method for 
generating the set of minimal models if non-minimal models are eliminated. In 
order to eliminate aU non-minimal or duplicate models we traverse a saturated 
tableau in depth- first left-to-right order and, according to property 3, we only 
need to check for every generated model that it is not a superset of some minimal 
model already generated before. In fact, one may close a branch as soon as the 
set of atoms along the branch becomes a superset of a minimal model generated 
before, even if the branch is not yet saturated. The procedure which does exactly 
this is called MM-Satchmo [4]. 

Example 22. In the tableau given in Example 21 MM-Satchmo closes the fourth 
branch because {d, c, /} is a superset of the model {c, /} represented by the 
third branch. O 

4 2 Step-by-Step PUHR Tableaux 

We wiU now see how PUHR tableaux can be made more efficient by handling 
parts of the given theory step by step. For simplicity we assume a division of the 
given theory in two parts. The extension to the general case with n parts is as 
simple as in Section 3. 

Let the given theory be Th := ThiUTh 2 such that Thi TJi 2 ^ We construct 
a saturated PUHR tableau for Th in two steps as follows: In the first step we 
generate a saturated PUHR tableau Ti for Thi, In the second step we apply 
ground instances of clauses from Th 2 to the open branches of Ti up to saturation. 
Notice that after the second step the tableau is still saturated w.r.t. Thi because 
we have required Thi not to depend on T^ 2 - So we have in fact constructed a 
saturated PUHR tableau for Th, 

Up to now we have not gained anything compared to a straight-forward 
application of the PUHR tableau calculus to Th, However, we may prune (i.e., 
close) branches earlier and more frequently with the step-by-step approach. To 
get an intuition for the pruning possibilities, consider an example. 

Example 23. Let Thi be the theory {aV6VcVdVe, a— 6— )^c,c— d— 
c, e — /} from Example 21. Let Qi := {ct, /} be the set of atoms that are 
relevant in the first step because they are either body atoms in Th 2 or elements 
of Q 2 because they are relevant for the application. We do not care about details 
of T ^2 and (^ 2 * Let Th be Thi G TA 2 . Then for Thi we get the tableau from 
Example 21, which we call Ti, Each of the open branches of this tableau is 
extended by some subtree for T^2; yielding a tableau T for Th, 

Notice that MM-Satchmo does not close the fourth branch {d, c, /} of Ti as in 
Example 22 unless the third branch {c, /} happens to be immediately saturated 
w.r.t. T^2- However, according to the results of Section 3 we may eliminate non- 
minimal models already for Thi, So we may close the fourth branch of Ti no 
matter what effect Th 2 will have on the third branch. 
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Since we are only interested in the atoms of in the first step, we may close 
even more branches: 

— We may close the fifth branch of Ti because {e, /} H = {/} is a superset 
of (actually equal to) {c, /} H = {/} and thus any answer generated from 
the fifth branch will be a superset of some answer generated from the third 
branch. 

— We may close the first branch of Ti because {a, /} H = {a, /} is a proper 

superset of {c, /} H = {/} and thus any answer generated from the first 

branch will be a proper superset of some answer generated from the third 
branch. 

So the only remaining open branch is the third branch. We may not close it 
using the fifth branch as a justification, because that one is already closed. In 
other words, we may not perform mutual subsumption between branches. O 

Now we come to the general case. With TAi, . . . , Th^, and Qi, . . . , Q^, given 
as in CoroUary 20 the possible pruning steps are given by the following two rules: 

— A branch Br is closed within the ith step if Br C] Qi 3 Br H Qi for some 
branch Br to the left of Br that is saturated w.r.t. Thi U . . . U Thi, 

— A branch Br is closed within the ith step if Br D Qi D Br^ H Qi for some 
branch Br to the right of Br that is saturated w.r.t. Thi U . . . U Thi, 

The first of these rules is more powerful than the minimization rule of MM- 
Satchmo in two ways: 

— It does not require Br to be saturated w.r.t. T^i U . . . U Thn but only w.r.t. 
T^i U ... U Th^, 

— It does not require Br to be a subset of Br but only Br H Qi to be a subset 
of Br n Qi, 

The second rule has no counterpart in MM~ Satchmo, because such a weaker 
counterpart (checking for a proper subset relation between entire branches with- 
out a restriction to Qi) would never be appH cable according to property 3 above. 
A proper superset relation is required in this rule in order to avoid that two 
branches that are equal w.r.t. Qi mutually eliminate each other. Notice that the 
second rule cannot be appHed in a depth-first left -to- right traversal of the overall 
tableau. We rather have to complete the tableau after every step. If, however, 
we insist in a depth- first traversal of the overall tableau, then we still have an 
improved pruning of branches from the strengthened first rule. 



5 Conclusion 

A formal framework has been presented for (1) step-by-step generation of mini- 
mal models and (2) ignoring irrelevant parts of models early. The results such as 
Theorem 19 are simple and plausible. However the proofs are not that simple, 
in particular because they also cover the case where there is an infinite number 
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of Herbrand models or answers, in which the existence of minimal models or 
answers is not trivial. Also the case of infinite clausal theories has been covered, 
even though this was more implicit. The treatment of the infinite case was nec- 
essary in particular to cover proper first-order clausal theories rather than only 
ones that are essentially equivalent to finite propositional theories. 

It has also been demonstrated how the idea of step-by-step model generation 
can be used to refine the PUHR tableau method. But a similar refinement can 
be applied to any method that generates minimal models or answers because 
Theorem 19 does not depend on any particular method. 

Practical applications for the techniques de- 
scribed in this paper appear for example in model- 
based diagnosis for digital circuits [8,3,2]. Con- 
sider a circuit containing the part given in Fig- 
ure 1. Assume that we already know that sig- 
nal a is 1, and (for the sake of simplicity) that 
the gates in the figure are already known to work 
correctly. The circuit can be described by several 
clauses, including a=l— ^fc=lVc = l and 

b = 1 ^ d = 1 and c = l— ^<J=l.In order to de- , i a *j- i * 
termine the broken gate(s), assume that we need ^ circui 

to know signal d, but we do not care about b and c. We can conclude that at least 
one of the inputs of the or gate (6 or c) must also be 1. In either case the common 
input d of the two and gates must be 1. In a straight-forward application of a 
model generation method we would have to separately consider two cases: one 
in which b = 1 and d = 1 holds, and one with c = 1 and again d = 1. The refine- 
ments presented in this paper allow us to replace the two cases by a single case 
with just d = 1. We get a strong optimization effect as in the example given in 
the introduction if several parts of this kind are connected serially in a circuit. 
Examples like this have actually been the motivation for the work presented 
here. Nevertheless, a more detailed discussion of this application is beyond the 
scope of this paper. It should also be investigated whether and how the opti- 
mization from the current paper can be combined with other appfi cat ion- specific 
optimizations, as they are implemented, e.g., in the DRUM-II algorithm [8]. 

For many optimization techniques it is possible to construct examples for 
which the “optimized” treatment is actually less efficient than the straight- 
forward treatment. This is also true for the optimization presented in this pa- 
per. Consider the theory Th := Thi U T ^2 with Thi := {p(ct), VX(p(X) — 
V p(/(X))} and Th 2 := {p(/(a)) — J_} and let the entire Herbrand base 
be relevant. Then Th has only a finite number of minimal Herbrand models, 
each of which satisfies only a finite number of ground atoms and may actually 
be computed in finite time. In contrast to this, Thi has an infinite number of 
minimal Herbrand models, even including one that satisfies an infinite number 
of ground atoms. So unless we have a sophisticated way to represent infinite 
Herbrand models and infinite sets of Herbrand models, the first step of a step- 
by-step model generation procedure will not terminate. Unfavorable cases of this 
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kind should be avoided when the theory is divided into steps. This paper does 
not provide a mechanism for dividing a theory into parts automatically. It is 
rather expected that appropriate divisions can be derived from knowledge about 
the application. So for example in model-based diagnosis for digital circuits the 
division might be derived from the structure of the given circuit. This fits with 
the general experience that the efficiency of automated deduction systems can be 
(and usually must be) improved by taking into account knowledge from the ap- 
plication domain. Nevertheless general guidelines for partitioning theories would 
be useful. 

Given a theory Th and a set Q^, of relevant atoms, we need not only find 
appropriate components of Th^ but we also have to find sets 

Qi, . . . , Qn-i such that the conditions of Corollary 20 are satisfied. This is es- 
sentially a sort of backward propagation of relevancy for atoms, i.e., propagation 
in the direction opposite to the implication arrows. Notice that backward prop- 
agation of relevancy for atoms is also performed by Satchmore [6] and by the 
non- Horn magic-sets transformation [5,10], even in a more sophisticated way 
than in the present paper. However, these techniques are intended for refuta- 
tional theorem proving rather than for model generation. In particular, they do 
not deal with the elimination of non- minimal or duplicate models or answers. 
The non- Horn magic- sets transformation can probably be adapted in such a way 
that it works for model generation and preserves answers to queries. It would 
then be interesting to investigate how this method can be combined with the 
step-by-step approach. 

The division of a theory into steps is similar to the notion of stratification for 
non- disjunctive logic programs with default negation in clause bodies [1]. Several 
refinements to the notion of stratification have been proposed, most prominently 
the notion of local stratification [11]. The granularity of steps as presented in this 
paper is finer than plain stratification but coarser than local stratification: We 
may assign two atoms with the same predicate symbol to different steps, but we 
cannot assign different ground instances of a clause to different steps. However, 
the fine granularity of local stratification can be achieved by a preprocessing 
step which replaces some clauses by an essentially equivalent set of instances of 
these clauses. So for example in the theory Th above the clause VX(p(X) — 
q(X) V p(f(X))) can be replaced by the clauses p(a) q(a) V p{f(ci)) and 
VX^(p(/(X^)) ^ q{f{X^))Vp{f{f{X^)))), After that transformation we are more 
flexible in dividing the theory into steps. 

If a clausal theory can be divided into parts that are mutually independent, 
then minimal models or answers can be generated independently for aU the parts 
and combined in the style of a cross product afterwards. In practical applications 
there will frequently be the situation that some parts of the theory are mutually 
independent while there are dependencies between others. Therefore it would be 
interesting to investigate a combination of step-by-step model generation with a 
technique for mutually independent parts. 
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Abstract* Hybrid logics were proposed in [15] as a way of boosting 
the expressivity of modal logics via a novel mechanism: adding labels for 
states in Kripke models and viewing these labels as formulae. In addition, 
hybrid logics may contain quantifiers to bind the labels. Thus, hybrid 
logics have both Kripke semantics and a first-order binding apparatus. 
We present prefixed tableau calculi for weak hybrid logics (proper frag- 
ments of classical logic) as well as for hybrid logics having full first-order 
expressive power, and give a general method for proving completeness. 
For the weak quantifier-free logics we present a tableau- based decision 
procedure. 



1 Introduction 

Hybrid logics are extensions of modal logics with labels for states in Kripke mod- 
els. The labels and the ordinary propositional symbols are treated in a uniform 
way to construct formulae of these logics. For example, given a label c, where 
labels are special sort of formulae, c A ^Op is a well-formed formula of the hy- 
brid logics. In addition, hybrid logics allow quantification over the set of states 
in Kripke models. For example, in the formula the quantifier Va? should 

be read as Tor all states b 

As the examples suggest, hybrid logics have a rather novel syntax and se- 
mantics. By viewing labels as formulae, they incorporate both Kripke semantics 
and first-order binding. Hybrid logics greatly increase the expressivity of modal 
logics, for example, they can express irrefiexivity, the Until operator and count- 
ing modalities; for a discussion on the relevance of hybrid logics for temporal 
logic and AI, we refer to [12, 7, 6]. In fact, hybrid logics can be seen as fragments 
of classical logic ranging from strictly weaker systems to systems having full 
first-order expressive power (see [3,4] for a hierarchy). 

So far, the work on proof systems for hybrid logics has been mostly con- 
cerned with Hilbert-style systems (see, for example, [11,8,12,5,7,14]), and a 
better deductive apparatus can be found only in [17,18,2]. The latter papers 
discuss sequent calculi and natural deduction systems for both weak quantifier- 
free hybrid languages and systems having full first-order expressive power. 

In this paper we investigate tableau proof systems for such languages as well 
as for a variety of weak languages containing powerful quantifiers. Tableau proof 
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systems have been designed for a variety of modal logics and widely used for 
proving interpolation and other results (see, for example, [10, 16, 13]). However, 
tableau methods proved important not only from a theoretical point of view, 
but also they are nowadays successfully used for automated deduction (for an 
extensive overview we refer to [9]). 

We present tableau systems for weak hybrid languages as well as for very 
expressive languages containing powerful binders, and thus show that hybrid 
logics behave proof-theoretically well. Tableau systems are important especially 
for weak systems with quantifiers for which the only known Hilbert-style axiom- 
atizations contain infinite collections of rules of proof (see [5]). Completeness 
of the proposed calculi is proved in a uniform way using a systematic-tableau- 
construction argument. Our systematic procedure is based on the procedures 
in [19, 10], and constructs certain saturated sets that can be satisfied on hybrid 
Kripke models, namely on models in which labels are true at unique states. 

For the weak quantifier-free (and decidable) hybrid languages we give a new 
tableau-based proof procedure that terminates and thus decides the binder-free 
languages (Section 5). 



2 Hybrid logics 

We begin by recalling the syntax of propositional modal logic. Given a denu- 
merably infinite set PROP = {p, g,r, ...} of propositional symbols^ the well- 
formed formulae of propositional modal logic (PML) are defined as follows: 
(f := p I I p A ^ I Dp. The dual of the □ operator is 0(p := 

Other Boolean operators are defined in the standard way. 

To define hybrid logics we extend PML in two steps. First, we add two 
sets of new symbols: a countably infinite set SVAR = {x, y^Zj. . .}, called state 
variables and a countably infinite set NOM = {c, ci, . . .}, called nominals. (In 
what follows we assume that PROP, SVAR and NOM are fixed.) Second, we 
introduce operators. In this paper we consider two binding operators (binders): V 
and J., and the operator Both state variables and nominals will be interpreted 
as singletons and thus, will act as Tabels^ for the unique states they are satisfied 
at. The difference is that whereas state variables can be bound by the binders, 
nominals cannot. We call PROP U SVAR U NOM the set of atoms. The operator 
@i allows us to retrieve the information at the state labeled 1. 

Let O C {V, J., @} be a set of operators. We define C(0), the hybrid language 
over the operators in 67, to be the smallest set of formulae containing: (1) each 
atom a, (2) p A ^ for each p and ^ in £(67), (3) for each p in £(67), (4) 
□p for each p in £(67), (5) Oxp, for each x € SVAR and each p € £(67) if 
O G on {V,;}, and (6) for each I £ SVAR U NOM and each p G £(67) 
if @ G 67. (Thus, we have eight hybrid languages: one for each choice of 67. 
Whenever 67 is clear from the context, we will write £ instead of £(67).) We 
denote the simplest language containing no operator from O hy Cq. 

The dual of V is := -i^x^ip. The binder I will be self-dual. 
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Note that the definition of the hybrid languages treats all atoms as formu- 
lae. For example, a? A Vrc((p A Oc) ^ ^Ox) is a well-formed formula. Free and 
bound state variables, substitution and other syntactic concepts, are defined as 
in classical logic (for definitions see [5]). A formula ip is called a sentence iff 
ip does not contain any free occurrence of a state variable. Given a formula ip 
and state variables x and y, ip[y/x] will denote the formula obtained from ip by 
substituting y for all free occurrences of x. 

Now for the semantics. Let £ be any of the hybrid languages defined above. 
A (Kripke) model M for £ is a triple (S, E, F) such that S is a non-empty 
set of states, R a binary relation on S, called the accessibility relationj and 

V : PROPUNOM Fow(S). A valuation V is called hybrid iff for all nominals 
c € NOM, V(c) is a singleton subset of S. A model M is called hybrid iff its 
valuation is hybrid. (That is: hybrid models treat nominals as labels.) 

To bind state variables we will make use of the Tarskian idea of assignment 
functions. An assignment for £ on A4 is a mapping g : SVAR — ^ Pow{S) such 
that for all state variables x G SVAR, g{x) is a singleton subset of S. (That 
is: assignments treat state variables as labels.) The notation g^ ^ g {g^ is an 
a?-variant of g) means that g^ and g are assignments (on some model A4) such 
that g^ agrees with g on all arguments save possibly x. 

Let M — {SjRjV) be a hybrid model, g an assignment on M and s ^ S 
a state in M. For any atom a, let [F,^](a) = g{a) if a is a state variable, and 

V (a) otherwise. Then the interpretation of the common fragment of all hybrid 
languages is carried out using the following definition: 



M,g,s 1 = a 
M,g,s^ ^ip 
M,g,s ^ipA^ 
A4, gjs\=^ Hip 



iff 5 € \y,g]{a)j where a is an atom 
iff M,g,s ^ ip 

iff Mj g^s^ p k Mj p, 5 |= ^ 
iff yp{sRF => M,g,s' 1= p). 



Note that the clauses for state variables are just like those for propositional sym- 
bols, save that state variables make use of the assignment, whereas propositional 
symbols use the valuation. Here is the satisfaction definition for the binders: 

Mj gjS ^ yxp iff Mj g^j s ^ p^ for all g^ ^ g 
M.J gjS Ixp iff M.J g\ s\= p^ where g^ ^ g 

and g^{x) = {s}. 



V works globally: it binds state variables to arbitrary states in models, while I 
binds locally: it binds a variable to the current state, and thus creates a label 
for here-and-now. Note that I is self-dual: A4,p, s |= Ixp iff A4,p, s |= ^Ix^p. 
For each I £ SVAR U NOM, the interpretation of the operator @i is given by: 



MjgjS ^ @ip iff Mjgjt^ p where [V,g]{l) = {t}. 

@i jumps to the state labeled I and evaluates its argument there. 

A formula p is satis fiable iff for some hybrid model A4, some assignment g 
on Mj and some state s in Mj MjgjS ^ p. A formula p is valid iff for all 
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hybrid models At, all assignments g on At, and all states s in At, At,p, ip. 
We write At, 5 ^ ip iS At,p ,5 |= ip for all assignments g. Note that for every 
sentence ipj At, p, 5 |= 9 ? iff At, s ^ ip. 

Let £ be any of the hybrid languages defined above. The hybrid logic of £ is 
defined to be the set of all valid £"formulae. Hybrid languages greatly increase 
the expressivity of PML. For example, the weakest hybrid language £^ is more 
expressive than PML, since £^ can express irrefiexivity by c ^ ^Oc. Here are 
two examples of properties that are not definable in PML while definable in 
hybrid languages. 

Example 1. Counting modalities are definable. For example: 

At-lea$t-2{(p) := 3x3y{0{x A A (p) A 0{y A A (p)). 

At-least-2(ip) is satisfied at a state 5 iff is satisfied in at least two distinct 
successors of $. Read this definition as follows: it is possible to bind the variables 
X and y to two states in such a way that a? is a successor of s and ip is true but 
y is false at Xj and y is a successor of s and ip is true but x is false at y. 
Example 2. Until is definable. 

Until{ipJ^p) := lxOl.y@xi^iy Aip) AU(Oy A^y ^ ^p)). 

Note how this works: we label the current state with Xj use <C> to move to an 
accessible state, which we label y, and then use @ to jump us back to x. We 

then use the modalities to insist that ( 1 ) <p holds at the state labeled y, and ( 2 ) 

^ holds at all successors of the current state that precede this y-labeled state. 

In fact, hybrid languages can be seen as fragments of classical logic ranging 
from strictly weaker systems, like £(j.), to systems with full first-order expressive 
power, like £(V, @). For further discussion on expressivity we refer to [3,4]. 

Lemma 1 (Substitution Lemma). Let A4 be a hybrid models let g be an 
assignment on M.^ and let ip be a formula of any of the hybrid languages defined 
above. Then^ for every state s in if y is a variable that is substitutable for x 
in ip and c is a nominal then: 

1 . (p[y/x\ iff M, g' , s (p, where g' ^ g and g' (x) = g{g) . 

2. Ai, g, s \= (p[c/x] iff Ai, g' ,s \= (p, where g' ^ g and g'(x) = V(c). 

Proof. By induction on the complexity of (p. 



3 Prefixed tableaux 

Prefixed tableau systems have been designed for a variety of modal logics (see 
[10]). The idea is to use prefixes to dabeP states in Kripke models. In contrast to 
the branch ‘modification^ techniques, prefixes allow us to keep the information 
about the past. This is crucial to the hybrid languages as nominals and state 
variables should be satisfied at unique states. We follow the notation in [10]. 
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Let C be any of the hybrid languages defined in Section 2. It suffices to 
construct tableau proofs for sentences in £, since validity of arbitrary formulae 
can be reduced to that of sentences. As a consequence, tableau proofs will contain 
only sentences of £ (and not arbitrary formulae). More precisely, tableau proofs 
will contain two types of formulae: prefixed sentences and accessibility sentences. 

Prefixed sentenees in £ (prefixed £-sentences) consist of a prefix followed by 
an £"Sentence. More formally, given a countably infinite set of prefixes PREF = 
{r, cr, . . .}, a prefixed sentence has the form where a £ PREF and is 
an £"Sentence. A prefixed sentence a(p is typically read V We refer 

to prefixed sentences as atomie if they are of the form aa or cr^a, where cr is a 
prefix and a an atom in £. 

Recall that nominals are also used to label states in models. Thus, prefixed 
sentences contain two kinds of labels: nominals and prefixes. The difference is 
that nominals label states internally, that is, we refer to them in formulae in the 
object language, whereas prefixes label externally: they are used in the meta- 
language to keep the information about all states that have been created in the 
course of the tableau construction. 

Aecessibility sentenees are of the form a < where a and are prefixes. 

As it was mentioned before prefixes will later be interpreted as states in 
models while accessibility sentences will define pairs of states that are in the 
accessibility relation. 

Let r be a set of prefixed sentences and accessibility sentences. We use 
PREF(T) (resp. NOM(T) and PROP(T)) to denote the set of all prefixes (resp. 
nominals and propositional symbols) that occur in some prefixed or accessibility 
sentence in P. 

A tableau rule in £ consists of a premiss V and a (finite) set of conclusions 
Cl, . . . ,C^, where n G u;: | ^ | ^ . The premiss and the conclusions are (finite) 

sets consisting of accessibility sentences and prefixed £-sentences. The tableau 
rules can be read as follows: df all formulae in the premiss P of a rule are simul- 
taneously satisfiable then so are all formulae in at least one of the conclusions^ 

Let O C {V, j., @} be some set of operators and £ the hybrid language over 
O. A tableau calculus TC{0) for £ is a finite collection of tableau rules in £. 
Tableau calculi for the hybrid languages will be defined in the next section. 

The definition of prefixed tableaux that we use is standard and can be found 
in [10]. Throughout the definition both prefixed £-sentences and accessibility 
sentences are referred to as sentences. 

A TC{Ofiprefixed tableau for aip is a finite tree with root aip each node of 
which carries either a prefixed £-sentence or an accessibility sentence. We say 
that a TC (Cl)-rule is applicable to a branch if the branch contains all sentences 
that occur in the premiss of the rule. The steps for extending the tableau are: (1) 
choose a branch 0 and a rule p that is applicable to 0, (2) if p has n conclusions, 
split the end of 0 to n branches and for all k < Uj add Cu to the fe-th branch. 
(That is, for all < n we add as many nodes to the fe-th branch as there are 
sentences in £/..) All tableaux are constructed in this way. 

The left-hand-side tableau in Example 3 below motivates the following: 
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Definition 1 (Closed branches and tableaux). Let T be a prefixed tableau 
and 6 a braneh in T. 9 is closed if either (1) 9 eontains both aip and a^ip or^ 
(2) 9 eontains the following four prefixed sentenees ac^ a(p and where 

ip is an C-sentenee^ prefixes and c a nominal If a braneh is not elosed it is 
open. The tableau T is closed if all its branehes are elosed^ otherwise T is open. 

Let T be a tableau and 9 a branch in T. Define a binary relation the 
aeeessibility relation, on the set PREF(0) as follows: a <o a' if^ a < a' is on 9. 

Let r be a set of prefixed sentences, <r a binary relation on PREF(r), and 
Ai = (S,R,V) a hybrid model for £. A mapping X : PREF S is called 
an interpretation of (X,<r) if for all prefixes a and in X such that a <p 
we have X(cr)RX(cr^). In particular, if X is the set of all prefixed sentences that 
occur on a branch 9 and <r is the accessibility relation <^, we say that X is an 
interpretation of 9. 

Definition 2 (Satisfiability of branches). Let F be a set of prefixed sentenees 
and <r a binary relation on PREF(X). Further^ let M be a hybrid model for 
C and X an interpretation of (X, <r)^ We say that (X, <p) is satisfiable in M 
under X if for all aip ^ F we have Ai,T{a) |= ip. A braneh 9 is satisfiable 
in M. under X if (X, <p) is satisfiable in M. under X^ where X is the set of 
all prefixed sentenees that oeeur on 9 and <p is the aeeessibility relation <$. 
(X, <r) is satisfiable if there is a hybrid model M. and an interpretation I sueh 
that (X, <p) is satisfiable in M. under T. A braneh 9 is satisfiable if there is a 
model Ai and an interpretation X such that 9 is satisfiable in Ai under X. 

It is easy to see that a closed branch 9 cannot be satisfiable. A tableau is 
called satisfiable if it has a satisfiable branch. Let O C {V, I, @} be a set of 
operators, £ the hybrid language over O and (p an £-sentence. We say that p is 
provable in a tableau calculus TC{0) iff there is a closed tableau for a^p where 
a is some prefix. In this case, the tableau is called a proof of p in TC{0). 



4 Tableau calculi for hybrid logics 



In this section we define tableau calculi for hybrid languages and prove them 
complete. The collection of rules TC below defines a tableau calculus for the 
weakest hybrid language Co that contains no operators from {V, I, @}. We use c 
and Cl to denote nominals, and a, r and a^ to denote prefixes. 



a 



a~F\p 



(a) 

(tt) 

{Labeling) 

{S -Identifying) 
{L -Identifying) 



aph^j) 



X. 

ap ^ ap, aif 



(/?) 



a^{pf\\l)) 



a^p I 

is not on the branch 



a^^p, a<W 

^ c is not on the branch 
ac 

ac, TC, T<W 
a<a^ 

(TC, TC, (TiCj, TCi 
(TCi , (T\C 



iV 



(jT\pj (J PCT^ 
a^p 
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The rules aj j3j p and tt are known from tableau calculi for modal logics 
and apply to hybrid languages as well. The Labeling and both Identifying rules 
reflect the hybrid languages. The Labeling rule says that whenever we have an 
external label a for a state, we can introduce an internal label c for that state. 
The S-Identifying rule allows us to identify the successors of two states if the two 
states have a common internal label. More precisely, if two states are internally 
labelled by a label c then, we identify the successors of the first state with those 
of the second. The L-Identifying rule says that we can identify the internal labels 
of a state a with those of a state (Ji , if and ai share a comon external label, 
namely r. The rules for the operators V, and @ are defined as follows: 



(VI) 


a^xip 

Mc/x] 

c is on the branch 


(V2) 


a^yxip 

cr^^[c/®] 

c is not on the branch 


ai) 


alxipj ac 


(P) 


a^lxipj ac 


<^‘P[c/x] 


a^ip[c/x\ 


(®i) 


a@c^ 


(®2) 


a^@cip 


a^Cj a^ip 


a^Cj a^^ip 



(In the ©-rules above, if ac is on the branch, = a, else is not on the branch.) 
Let O C {V, 4 ., @} be any set of operators and £ be the hybrid language over O. 
We define a tableau calculus TC(0) for £ to be the following collection of rules 
in £: TC U {0-rules | O € O}. (For example, TC U U is the 

tableau calculus for £({, ©).) One can see that if a single tableau rule is applied 
to a satisfiable tableau, the resulting tableau will be satisfiable too. Therefore, 
TC{0) is sound: if an £-sentence ip is provable in TC(0), then ip is valid. 

Before turning to completeness, we consider three examples of tableau proofs. 
To simplify the presentation, we use finite sequences of natural numbers as pre- 
fixes, and assume that two prefixes a = ki . . .ki and r = h . . .Ij are in the 
accessibility relation of a branch 9 iff either j = i + 1 and for all m < ij km = Im 
or, 0 contains a < r. 

Example 3. The tableau on the left-hand-side below is closed because of Defi- 
nition 1. The tableau proof on the right-hand-side below uses the Labeling rule. 



l.^(<C><C>(c A ip) ^ D(c ^ ip)) 
1.00{c A (p) 

1.— iD(c — y ip) 

1.1. 0(c A (p) 

1.2. ^(c ^ (p) 

1.1.1. c 

1.1.1. (p 

1.2. C 

1.2. ^ip 
± 



l.^{Op lxOl-y@^@yp) 




l.Op 


1 , a 


l.^PO ly@,j;@yP 


1 , a 


l.l.p 


2j7T 


l.Ci 


Labeling 


1.^0ly@ci@yP 


3,12 


l.l.^ly@c-,@yP 


6, p 


l.l.Cii 


Labeling 


l-l-^®ci @ciiP 


7,12 


l.^@CllP 


9, @2 


l.l.^p 


10, @2 



T 
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Example 4. The following tableau proof uses the S- Identifying rule. 



l.^(0(c A □(€! ^ p)) ^ ^0(c A 0(ci A ~^p))) 



l.<C>(c A U(ci ^ p)) 
l.<C>(c A 0(ci A ^p)) 

1.1. c 

1.1. D(ci ^ p) 

1.2. C 

1.2.0(ci A ~^p) 

1.2.1. C1 

1.2.1. -P 
1.1 < 1.2.1 

1 . 2 . 1 . C1 ^ p 

/ \ 

1.2.1. ^ci 1.2.1.P 

± ± 



I j a 
1 , a 

7 T, a 
2 j7Tj a 
TTj a 
TTj a 
7, TTj a 
7, TTj a 

4 jdj S-Identifying 
5,10,v 

II jf3j a 



4.1 A proof procedure 

To prove that the tableau calculi defined above are complete we will use a 
systematic-tableau-construction argument (see [19, 10]). Given a sentence 9 ?, we 
will describe a systematic procedure such that if is valid, the procedure on 
input ^(p will construct a tableau proof for otherwise, the procedure will 
construct a counter-model for p. Note that in the case of hybrid logics the 
counter-model should be a hybrid (Kripke) model. 

The procedure will closely follow the systematic procedures in [19,10]. We 
will work with each occurrence of a prefixed sentence in a tableau exactly once, 
after which we declare this occurrence finished. We fix an enumeration E^orn — 
{ci,C 2 , . . .} of all nominals in NOM and an enumeration Epref = <^ 2 , • • •} of 

all prefixes in PREF. 

The proof procedure. On input x = perform the following steps: 

Step L Place ai ^p at the origin and then add aiC. (Here c is the first nominal 
in Eri^orn that is not in x-) This completes Step 1. 

Suppose that n steps of the procedure have been completed and the tableau 
that has been constructed is 7^. Denote by (a) the condition that all occurrences 
of prefixed sentences in Tn are finished and by (b) the condition that there is an 
open branch 0 in 7 ^ such that for all prefixes a and r on 0 if 0 contains ac and 
rc for some nominal c then, a and r have the same <^-successors, and for all 
prefixes cr, r and a± on 0 , if for some nominals c and Ci, ac, rc, cti ci , rci are on 
0, then aci,aic are on 9. Then, if either Tn is closed, or both (a) and (b) hold, 
then stop. Otherwise perform the next step. 

Step n+L This step consists of two substeps, namely of (A) and (B): 

(A) For all open branches 9 and: 

( 1 ) for all prefixes a and r on 0 , if ac and rc on 0 , where c is a nominal then, 
identify <^-successors of a with <^-successors of r by adding to the end of 9 
accessibility sentences as follows: for all T such that r <e T add a < r^ and for 
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all such that a <q add r <o a\ 

(2) for all prefixes cr, r and a\ on 0; if ac^Tc^aiCi^rci are on 9 where c and Ci 
are nominals, add crci, ctic to the end of 9, 

Having done this for all open branches 0, all nominals and all prefixes on 9j 
go on to: 

(B) Choose an occurrence of a prefixed sentence as high up in the tree as 
possible (as close to the origin as possible) that has not been finished, say this 
is ay. If ay is atomic, declare ay finished and complete Step n+L 

Otherwise, extend the tableau as follows. For each open branch 9 through 
this occurrence of ay, do the following: 

(1) If ay is (resp. a^pl A ^ 2 ), add a^ (resp. a^i and a^ 2 ) to 9. 

(2) If ay is a^(^i A ^ 2 )? split 9 to two branches and add to the one branch 
and to the other. 

(3) If ay is of the form aD^, then for each prefix a^ such that a^ appears on 9 
and a < a^ add aV to 0, after which add a fresh occurrence of aU'ip to 9. 

(4) If ay is of the form a^D^, then add a < a^ and a^c to 9. (Here a^ 

is the first prefix in the enumeration Epref that is not on 9 and c is the first 
nominal in the enumeration E^orn that is not on 0.) 

(5) If ay is of the form aVx^, then for all nominals c on 0, add aip[c/x] to 0, 
followed by a fresh occurrence of oixif), 

(6) If ay is of the form a^Vx^, then add a^il)[c/x\ to 0, where c is the first 
nominal in the enumeration Enom that is not on 9, 

(7) If ay is add ail)[c/x] to 9. Here c is a nominal such that ac is on 9. 

(8) If ay is add a^il)[c/x] to 9. Here c is a nominal such that ac is on 9, 

(9) If ay is a@c^? then add and a^c to 0, where = a if ac is on 0, and a^ 
is the first prefix in the enumeration Epref that is not on 9 otherwise. 

(10) If ay is a^@c^? then add and a^c to 0, where a^ = a if ac is on 0, 
and a^ is the first prefix in the enumeration Epref that is not on 9 otherwise. 

Having done this for all open branches through the current occurrence of ay, 
declare this occurrence finished. This completes Step n+1. 

End of the procedure. 

Clearly, the procedure does not always terminate; for example, on input 
X = 0(c A Oc A nOc). Termination will be discussed at the end of Section 4 as 
well as in Section 5. 



4.2 Completeness 

Note that if the procedure on input % = does not produce a closed tableau 
for ^(p then, it constructs an open branch 9 having the properties listed in the 
following definition. More precisely, if E is the set of all prefixed sentences on 9 
and <r is the accessibility relation on 9, then (T, <r) is downward saturated. 

Definition 3 (Downward saturated sets). Let O C {V,J., @} be a set of 

operators and £ be the hybrid language over O, Further^ let F be a non-empty 
set of prefixed sentences in £ and <r n binary relation on the prefixes in F, 
(r, <r) is called Cl-downward saturated iff the following properties from the list 
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below hold: for all n <7^ property (n) and for every operator 0^0^ properties 
{O^) and 

(1) there is no atom a and no prefix a in F such that both aa G F and a^a C F; 
andf there are no prefixes a and r in F such that for some c G NOM(F) and 
some atom F contains aCj rCj ra, 

(2) for all nominals c and Ci and all prefixes a^r and if ac^rc^aici^rci G F 
then^ aic^aci G F 

(3) for all nominals c and for all prefixes a and if aCj re G F then^ a and r 
have the same <r -successors 

(4) if a(f A tf € F {resp. G F) then^ ap € F and aif G F {resp. a<p G F) 

(5) if a^{(p Atf) € F then^ either a^ip £ F or G F 

(6) if aO(f G F then^ for all in F^ a <p implies a^ip G F 

(7) if G F then^ G F for some in F such that a <r 

(V^) if aixp G F^ then ap[c/x\ G F for every nominal c in F 
(V^^) if a^yxp G F^ then a^p[c/x] G F for some nominal c in F 
(V) if <j\^xp G F^ then aCjap[c/x\ G F for some nominal c in F 
(VO if ^ then aCja^p[c/x] G F for some nominal c in F 

(@0 if er®c7> G F where c is a nominaf then a^c^a^p G F for some prefix 
(@^0 if cr^@c¥^ C F where c is a nominaf then a^c^a^^p G F for some prefix 

To cope with the binders when proving satisfiability of downward saturated 
sets we need the concept of a labeled model. 

Definition 4 (Labeled Models). Let A4 be a hybrid model in a hybrid lan- 
guage £. We say that M. is labeled if for all states s G M.^ there is a nominal 
c such that At, 5 |= c. 

To state the next lemma we fix notation: a set of prefixed sentences F is 
called labeled iff for all prefixes a in T, there is a nominal c such that ac is in F, 

Lemma 2 (Satisfiability of Downward saturated sets). Let O C {V,V@} 
be a set of operators and C be the hybrid language over O, Further^ let F be a 
set of prefixed sentences in C and <r u binary relation on the prefixes in F. If 
(r, <r) is O -downward saturated and F is labeled^ then (T, <r) is satisfiable. 

Proof Let ^ be a binary relation on the set PREF(T) defined as follows: a ^ r 
iff there is a nominal c such that ac, re are in F. Since F is labeled and (2) of 
Definition 3 holds, ^ is an equivalence relation on PREF(T); let 5 be the set of 
the equivalence classes. Define / : PREF(T) S to be a function that maps 
each prefix a G PREF(r) to its equivalence class. 

Our model At is a triple (5+,E, T), where 5+ = S' if for all c G NOM(r) 
there is a such the ac G T, and S~^ — 5u{*} otherwise. (Here * is an entity that 
is not an equivalence class.) For every two states sijS 2 G S+, siRs 2 iff there 
are ai,a 2 G PREF(r) such that ai <r a 2 , /(ai) = and /(a 2 ) = ^ 2 ; for all 
p G PROP(r), V{p) = {5 I 3a : /(a) = 5 & ap G T}, for all c G NOM(r), 
V{c) = {5 I 3a : /(a) = 5 & ac G T} if this set is non-empty and V{c) = {*} 
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otherwise; for all p £ PROP such that p ^ PROP(r) and all c € NOM such 
that c ^ NOM(r), V{p) = V(c) = {*}. 

First, note that At is a hybrid model, that is, for all c G NOM, V{c) is a 
singleton set. If c ^ NOM(r) this is obvious, so let c G NOM(r) and suppose 
that there are ^1,52 € S+ and {^1,52} C V(c). Then, there exist <ji,o' 2 such 
that f{ai) = Si,f{a2) = S2jCric £ F and <J2C € T, hence = ^2. 

Second, At is a labeled model, as the set F is labeled and if At contains the 
state * then. At, * |= c for some nominal c in F. 

Third, consider an interpretation X : PREF S+ which is an arbitrary 
extension of the function / : PREF(X) — ^ 5+ to PREF. To show that (X, <p) 
is satisfiable in At under X, we will prove by induction on the complexity of 
that for every prefixed sentence ap, if ap £ F then At,/(<j) |= p. 

The base case, that is, for p an atom a or ^a, follows from the definition of 
At and property (1) of Definition 3. 

Now, assume that ap £ F and for all prefixed sentences € X if ^ has 
lower complexity than p then At, f{a) |= ij). We consider different cases for p. 

If p is ^ A X? A x) or we use (4), (5) and (7) of Definition 3. 

Let p be and ap £ X. We have to prove that for all s £ 5+, f{a)Rs 
implies At, s ip. So, suppose that f{a)Rs for some $ £ 5+. Note that, by the 
definition of At, f(a) £ S and, since * is not a successor of any state in S, s 
cannot be *, and so 5 € 5 too. 

Then, there are <Ji,a2 such that ai <p <72, f{ai) = f{a) and f{a2) = s. 
Hence a <p a2- (If ^ <Ji, this follows from the fact that, since f{ai) = /(a), 
there is c € NOM(X) such that aic^ac £ X, and by (3) of Definition 3, ai 
and a have the same set of successors.) Now, as aU'ip £ X and a <p a2j by 
(6) of Definition 3, <72^ G X. By the inductive hypothesis, At,/(<72) |= ^ and 
hence equivalently. At, 5 |= ij). We have shown that for all states s £ 5+, f(a)Rs 
implies At, 5 |= and hence At, f{a) |= 

Let p be and ap £ X. We have to show that At, /(cr) |= that 

is, for all states s £ S+, if g is an assignment such that g(x) = {s} then. 
At, p,/(cr) 1= ip. Since At is a labeled model, s is labeled by some nominal c. 
Moreover, as a^xip £ X and (X, <p) is downward saturated (see (V^) of Defini- 
tion 3), aip[c/x] £ X and hence, by the inductive hypothesis. At, f{a) |= ip[c/x]. 
Therefore, by Substitution Lemma, At,p, f{a) |= ^ for all $ £ 5+. 

Let p be Ix'ip and ap £ X. We have to show that At, f(a) |= Ix'ipj that is 
At, p, f(a) 1= ^ where g is an assignment such that g(x) = {f(a)}. As (X, <p) is 
downward saturated (see (tO of Definition 3) and a^^xip £ X, for some nominal 
c in X we have ac, a^[c/a?] G X. Then, by the inductive hypothesis. At, /(a) |= 
c and At, /(cr) |= i/)[c/x]. Hence V{c) = {/(cr)}. Therefore, by Substitution 
Lemma, At, p, /(cr) |= 

Suppose that p is @c'ip and ap £ X. We have to show that At, /(cr) |= 
Since a@c'ip £ X, by (@^) of Definition 3, there is a' such that a^c^a^ip £ 
X. Hence, by the inductive hypothesis. At, /(cr^) |= c and At, /(cr^) |= and 
therefore At,/(cr^) |= ©c'lp. 
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The cases when ip is and can be proved similarly using 

ill and {&') of Definition 3. 

Theorem 1 (Completeness). Let O C {V^ @} be a set of operators and C be 

the hybrid language over O. If an C-sentenee p is valid^ then p has a systematic 
tableau proof in TC{0). 

Proof The proof is standard. If p is not provable, a systematic attempt at 
proving p will produce an open branch 0, such that the set P of all prefixed 
sentences on 9 will be labeled and (T, <^) will be C^-downward saturated. Hence, 
by Lemma 2, (T, <^) will be satisfiable, and therefore p cannot be valid. 

Soundness and completeness imply that the systematic procedure is a proof 
procedure for the hybrid languages: 

Corollary 1. Let O C {V, J., @} be a set of operators and C be the hybrid lan- 
guage over O. Then^ for every C-sentenee p^ if p is provable in TC{0)f then p 
has a systematic tableau proof in TC{0). 

Any hybrid language that contains either the binder V or the binder f is 
undecidable (see [3,4]).^ There are only two binder-free languages: Cq and £(@). 
Both languages are decidable, since they can be embedded into the guarded 
fragment defined in [1]. However, the proof procedure we introduced in Section 
4.1 does not terminate for these two decidable languages; % = ^(c A Oc A DOc) 
is an example of non-termination. The reason for the non-termination here is 
the occurrence of an infinite alternation of the tt and the S-Identifying rule. 

In the next section, we define a procedure that uses a new rule called the 
S-Identifying rule instead of the previously introduced S-Identifying rule. More- 
over, we allow applying the tt rule only with proviso. As a result, for the new 
procedure we will be able to prove termination and moreover, that it is in fact 
a decision procedure for and £(@). 

5 A terminating proof procedure 

The proof procedure we define in this section will use only the following rules: 
a, /?, TT, L-Identifying and ©-rules from Section 4, and in addition the rule: 

/ri f\ CtDQ? j- 

[b -Identifying ) -;p— 

(Here c is a nominal and cr, r and P are prefixes.) Obviously, the latter rule is 
correct. 

In the tableau construction below when the Tr-rule is applied, the prefix that 
is introduced is new to the entire tableau. As a consequence, for each prefix r 
in the tableau there is a unique sequence of prefixes n , . . . , such that Tn — r, 

^ Decidable hybrid logics containing binders exist and can be obtained by restricting 
the classes of models (see [4]). 
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for each i < rij Tj < is on the tableau and, there is no prefix a such that 
cr < Ti is on the tableau. We call n the depth of the prefix r. As before we 
will work with each occurrence of a prefixed sentence that is not of the form 
aOip exactly once, after which we declare this occurrence finished. No prefixed 
sentence should be added to a branch if the sentence is already on the branch. Let 
Epref = and E^om = {ci,C2,...} be enumerations of respectively 

all prefixes in PREF and all nominals in NOM. 

The terminating procedure. On input x perform the following steps: 
Step 1. Place ctix at the origin and add ctic, where c is the first nominal 
in Enorn that is not in x- While there is an unfinished occurrence of a prefixed 
sentence ap that is not of the form and rOy, do the following: 

For all branches 0 throughout aip^ if p is: 

- atomic, do not extend 0; 

- (resp. A ^2)? ^dd aif (resp. aifi and 0*^2) to 9; 

- A ^2), split 0 to two branches and add and <j ^^2 respectively 

to the first and to the second branch; 

- (resp. then, if there is a prefix r such that rc is on 0, add rij) 

(resp. to 0] else, add rc and rij) (resp. rc and r^^) to 0; (Here r is the 
first prefix in the enumeration Ep^ef that is not on the tableau.) 

Declare aip finished. 

For all open branches 0, if c and Ci are nominals and cr, r and cti prefixes such 
that aCjTCjaiCijTCi are on 0, add ctic, crci to 0, and declare them finished. 
Complete Step 1. Denote the tableau that has been constructed by 7i. 
Suppose that n steps of the procedure have been completed, and the tableau 
that has been constructed is denoted by 7^. If 7^ is a closed tableau or all 
occurrences of prefixed sentences of the form are finished, stop. Otherwise: 

Step n + 1. Consider the following three conditions: 

(A) There is an unfinished occurrence of a prefixed sentence that is not of the 

form tUj or where E has depth n + 1; 

(B) There is a branch 0, a prefixed sentence aOp and a prefix a' such that both 
aU(f and a < are on 9, but a^(p is not on 0; 

(C) There is a branch 9 such that the S-Identifying rule is applicable to 9. (That 
is, there is a branch 0 such that 0 contains crc, rc, and r <E and 0 does 
not contain E ip.) 

(D) There is a branch 0 such that for some nominals c and Ci and some prefixes 
cr, r and cti, crc, rc, crici, rci are on 9 but cric, crci are not on 9. 

While at least one of (A), (B), (C) or (D) holds do the following: 

(1) If cr 9? is an unfinished occurrence of a prefixed sentence such that a ip is not 
of the form rDy and r^^Dy, where E has depth n + 1 then, for all branches 0 
throughout a ip /if ip is of the form: 

- atomic, do not extend 0; 

- (resp. A ^2), add a/ (resp. cr^i and a/ 2 ) to 9; 

- A ^2), split 0 to two branches and add cr^^i and a ^/2 respectively 
to the first and to the second branch; 

- and there are no r and c such that crc, rc and r^D^ are on 0 and 
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is finished, add a < a\ and a^c to 6. (Here a' is the first prefix in 
Epref that is not on the tableau and c is the first nominal in E^orn that is not 
on the tableau.) 

- (resp. ^@c^) then, if there is a prefix r such that rc is on 0, add rij) 
(resp. to 0; else, add Ec and rV (resp. r^c and to 0; (Here E is the 
first prefix in the enumeration Epref that is not on the tableau.) 

Declare aip finished. 

(2) If aUif is an occurrence of a prefixed sentence then, for all branches 0 through- 
out aUip^ if is such that a < crMs on 0, but aV not on 0, add a^ip to 0. 

(3) If 0 is a branch such that the S-Identifying rule is applicable to 0, apply the 
rule. (That is, if 0 contains crc, rc, aUip and r < E and, 0 does not contain rV? 
add rV to 0.) 

(4) If 0 is an open branch such that for some nominals c and Ci and some prefixes 
cr, r and a±j ac^Tc^a\C\^rc\ are on 0, add ctic, aci to 0, 

Complete Step n+ 1. Denote the tableau that has been constructed by 7^+i. 

End of the procedure. 

Theorem 2. The above procedure terminates and is a decision procedure for the 
languages Co and C{@), 

Proof First, for the sake of a contradiction suppose that there is a sentence x 
such that on input x the procedure will not terminate. Then, by Konig^s lemma 
(cf. [10]), there will be an infinite branch, say 0. Let 0‘^ be the part of 0 con- 
structed in Step n, that is 0^ is 0 fl 7^. Note that all prefixes that occur on 0^ 
have depth at most n. Define c{0^) = max^{c(99) \ ag> on 0^ a has depth n} 
to be the maximal complexity of a sentence ip that occurs on 0^ prefixed by 
some a of depth n. (Complexity c(ip) of a sentence ip is the number of occur- 
rences of Boolean connectives and operators in (p.) Define b{0^) and d{0^) to be 
the cardinality of respectively \ 3a : ac and aU'ip are on 0^} and 

in \ 3a : ac and are on is finished on 0^}. Let 

s{0^) = b{0^)^d{0^). 

For all n, s{0^) < s{0^^^). Moreover, if in Step n no S-Identifying rule that 
results in extending has been applied, then c(0^) = c(0^™^) — 1. Otherwise, 
it is possible that c(0^) > c(0^™^). However, if in Step n, the S-Identifying rule 
has been applied at least once, then s{0^) < s{0^^^) — 1. This contradicts the 
assumption that 0 is infinite. 

Second, let x be an arbitrary sentence of either Co or £(@). From the above 
we know that the procedure on input x will terminate, say after completing Step 
n. Then, the tableau Tn that has been constructed is either closed, or contains 
an open branch, say 0. Note that the set of all prefixed sentences on 0 is labeled. 
Moreover, 0 is saturated in the following sense: 0 satisfies conditions (1), (2), (4), 

(5) , (6), {&) and {&') of Definition 3 as well as conditions (3)^ and (7)^ defined 
below: 

(3)^ for all nominals c, all prefixes cr, r and if crc, rc, aUip and r <P are on 
0, then Pip is on 0 too; 

(7)^ if a^Up is on 0 then, there are prefixes r and rS and a nominal c such that 




292 



Miroslava Tzakova 



aCj TCj T < and are on 0. 

Then, similarly to the proof of Lemma 2, we can show that 9 is satisfiable. 
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Abstract. We show how to integrate implicit inductive theorem proving 
into free variable sequent and tableau calculi and compare the appropri- 
ateness of tableau calculi for this integration with that of sequent calculi. 

When first-order validity is introduced to students it comes with some complete 
calculus. If this calculus happens to be an analytic calculus augmented with a 
Cut rule like a sequent or tableau calculus the students can compare the for- 
mal proofs with the informal ones they are hopefully acquainted with. This is 
because these calculi can mirror the human proof search process better than 
others. While knowing a complete calculus does not mean to know much about 
first-order theorem proving, the interrelation of a human-oriented calculus and 
the informal proof search of the students will turn out to be fruitful for their 
later mathematical work. It is a pity that — while nearly all proofs of a working 
mathematician include induction — nothing comparable for inductive first-order 
validity is offered to the students. Some may argue that this is generally im- 
possible because not even the theory of the Peano algebra of natural numbers 
is recursively enumerable, cf. e.g. Enderton (1973). Nevertheless, there really is 
some general way a working mathematician searches for an informal proof, may 
it be inductive or not. The inductive version of this proof search method goes 
back to the ancient Greeks and was rediscovered under the name “descente in- 
finie” by Pierre de Fermat (1601-1665). If you want to prove a conjecture, this 
method requires that you show, for each assumed counterexample of the conjec- 
ture, the existence of another counterexample of the conjecture that is strictly 
smaller in some wellfounded ordering. The working mathematician applies it in 
the following fashion. He (who may be female!) starts with the conjecture and 
simplifies it in case analyses which can be described as steps in a sequent or 
tableau calculus with Cut. When he realizes that the goals become similar to a 
different instance of the conjecture, he applies the conjecture just like a lemma, 
but keeps in mind that he actually has applied some induction hypothesis. Fi- 
nally, he searches for some wellfounded ordering in which all the instances of 
the conjecture that he has applied as induction hypotheses are smaller than the 
original conjecture itself. Looking for a formal inductive calculus for mirroring 
this style of human inductive theorem proving (ITP), the “implicit induction” of 
Bachmair (1988) was a starting point because it included hypothesis application, 
although it was restricted to universally quantified pure equations and was not 
human-oriented. In Wirth (1997) we have presented a human-oriented inductive 
calculus for universally quantified clausal logic. In Kiihler (1999) — implemented 
as the QuodLibet system — this calculus is extended with some necessary and 
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important concretion for reasoning on the induction ordering and with a tactic- 
based concept for proof guidance that is intended to partially automate the 
construction of proofs. Extending this approach to full first-order logic turned 
out to be more difficult than expected (cf., however, Padawitz (1996) for the 
extension to another interesting sub-class): The state-of-the-art free variable an- 
alytic first-order calculi were not suited for the integration of “implicit induction” 
because they confused the Herbrand universes with their Skolem functions and 
did not preserve solutions (i.e. closing substitutions) (like Prolog does), thereby 
destroying the wellfoundedness of “descente infinie” . In Wirth (1998) we have 
developed sequent and tableau calculi for full first-order formulas that do not 
Skolemize but do preserve solutions. These new calculi come in two versions. The 
weak version is simple, but cannot model liberalized versions of the (J-rule, which 
the strong version can. Since the strong version is much more complicated, the 
space is limited here, and many researchers today are quite unacquainted with 
“descente infinie” , in this paper we will use the weak version only and concen- 
trate on the inductive aspects (i.e. induction hypothesis application) and not on 
the deductive ones (i.e. n-, /?-, 7 -, and d-steps, cf. Smullyan (1968)). Even for 
the experts in implicit ITP each of the following aspects will be new: Tableau 
presentation, full first-order formulas, and free variables. 

We use ^l+i’ for the union of disjoint classes and dd’ for the identity function. 
Eor a class R we define domain^ range ^ restriction to^ image and reverse-image of 
a class A by dom(i^) := { a | 3b: (a, 6 ) G ran(i^) := { 6 | 3a: (a, 6 ) G 

^\R := {{a^b)eR \ uGA}; {A)R := { 6 | 3a G A: {a,b)eR}] R{B) := 
{ a I 3b ^ B: (a, 6 ) G ^IN’ denotes the set of and the ordering on natural 
numbers. We use ^0’ to denote the empty set as well as the empty function or 
empty word. A guasi- ordering ^ on A is an A-refiexive and transitive (binary) 

relation on A. As with all our asymmetric relation symbols we define a >6 if 
6 <a. By an (irrefiexive) ordering (on A) we mean an irrefiexive and transitive 
relation (on A). The ordering < 0 / a guasi- ordering < is A quasi-ordering 

< is called total on C if CxCC<U>. A <-chain is some subclass CCA 
such that < is total on C. < is called wellfounded if each <-chain C has a 
least element, i.e. 3a gC: Mb^C: a^b. The class of total functions from A to 
B is denoted with A ^ B. The class of (possibly) partial functions from A to B 
is denoted with A^ B, 

We define a seguent to be a list of formulas. The conjugate of a formula A 
(written: A ) is the formula 5 if A is of the form -i5, and the formula -lA 

otherwise. In the tradition of Gentzen (1935) we assume the symbols for free 
existential variables (i.e. the free variables of Eitting (1996)), free universal vari- 
ables (i.e. nullary parameters), bound variables (i.e. variables for quantified use 
only), and the constants (i.e. the function (and predicate) symbols from the sig- 
nature) to come from four disjoint sets V 3 , Vy, Abound, and E. We assume each 
of V 3 , Vy, Abound lo be infinite (for each sort) and set Afree •= A 3 l±JAy. Eor a term, 
formula, sequent F etc., ^V^iF)) Wy (T) ^ Wbound {B) \ Wfree(C)’ denote the sets of 
variables from A 3 , Ay, Abound, Auee occurring in T, resp.. Eor a substitution a we 
denote with ‘‘F F the result of replacing in F each variable x in dom((j) with cr[x ) . 
We tacitly assume that each substitution a satisfies Vbound(dom((j) Uran((j)) 
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= 0, such that no bound variables can be replaced and no additional variables 
become bound (i.e. captured) when applying a. 

A variable-condition Ris a subset of VaXVy. Roughly speaking, y'^) G R 
says that is older than so that we must not instantiate the free existential 
variable with a term containing y'^ . 

Validity is expected to be given with respect to some S-structure (S-algebra) 
A, assigning a universe (to each sort) and an appropriate function to each symbol 
in I]. For X C Vfree we denote the set of total ^-valuations of X (i.e. functions 
mapping free variables to objects of the universe of A (respecting sorts)) with 
X ^ ^ and the set of (possibly) partial ^-valuations of X with X ^ For 
7T G X ^ ^ we denote with the extension of A to the variables of X 

which are then treated as nullary constants. More precisely, we assume the ex- 
istence of some evaluation function AvaF such that eval(Ml±J7r) maps any term 
over Xl+iX into the universe of A (respecting sorts) such that for all x G X: 
eval(Ml±J7r) (a?) = 7t{x). Moreover, eval(Ml±J7r) maps any formula B over Xl+iX to 
TRUE or FALSE, such that B is valid in Mi+Jtt iff eval(Ml±J7r)(5) = TRUE. We 
assume that the Substitution- Lemma holds in the sense that, for any substitu- 
tion (j, X-structure A, and valuation tt G Vuee A, validity of a formula B in 
M ( ( cr l+J Vfree\dom(CT) M ) o eval(Ml±J7r) ) is logically equivalent to validity 
of Bcr in MI+Jtt. Finally, we assume that the value of the evaluation function on 
a term or formula B does not depend on the free variables that do not occur 
in B: eval(Ml±J7r)(5) = eval(M hJ Vfree(s) 1^) (^) • Further properties of validity 
or evaluation are definitely not needed. 

We are now going to briefly recapitulate the notions from the weak version 
of Wirth (1998) which we need in what follows. Several binary relations on free 
variables will be introduced. The overall idea is that when {x, y) occurs in such a 
relation this means something like “a? is older than y” or “the value of y depends 
on or is described in terms of x^\ 

Definition 0.1 (Ea, Ua^ Existential /^-Substitution, (j-Update) 

For a substitution a with dom((j) = Va we define the existential relation to be 

:= { [A ^x) I G Va (cr(x)) A X G Va } and the universal relation to be 
Ua := { {y,x) I yGVv(cr(^)) A ^rGVa }. 

Let R he Vi variable-condition. a is an existential R- substitution if cr is a 
substitution with dom(cr) = Va for which Ua ^ R is irrefiexive. 

Let a be an existential //-substitution. The cr-update of R is Ea o R. 

Note that, regarding syntax, (a?^, y'^) G // is intended to mean that an existen- 
tial //-substitution a may not replace x^ with a term in which y'^ occurs, i.e. 
{y'^ ^x^) ^Ua must be disallowed, i.e. Ua^R must be irrefiexive. 

After application of an existential //-substitution cr, in case of {x^, y^) G //, 
we have to ensure that x^ is not replaced with y^ via a future application of 
another existential //-substitution that replaces a free existential variable u^ 
occurring in cr{x^) with y^ . In this case, the new variable-condition has to con- 
tain (n^, y^). This means that EaoR must be a subset of the updated variable- 
condition. 
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Let A be some S-structure. We now define a semantic connterpart of onr existen- 
tial i^-snbstitntions, which we will call “existential (^, i^)-valnation” . Snppose 
that e maps each free existential variable not directly to an object of A (of the 
same sort), bnt can additionally read the values of some free universal variables 
under an ^4-valuation tt G Vy ^ v4, i.e. e gets some tt^ G Vy ^ v 4 with tt^Ctt 
as a second argument; short: e: Va ((Vy ^ A) A)^ Moreover, for each 

free existential variable x, we require the set of read free universal variables (i.e. 
dom(7T^)) to be identical for all tt; i.e. there has to be some “semantic relation” 
Se C VyXVa such that for all x G V 3 : e{x): ( 5 'e({ 3 ?}) A) ^ A. Note that, for 
each e, at most one semantic relation exists, namely 

Se := { {y,x) I y Gdom(|J (dom(e(^r)))) A G V 3 }. 

Definition 0.2 (S'e, Existential (M, i^)- Valuation, e) 

Let be a variable-condition, A a S-structure, and e: V 3 ^ ((Vy ^ A) A). 
The semant/c re/at/on o/e is Se := { {y,x) \ y G dom(|J (dom(e(a?)))) A a? G V 3 }. 
e is an existential (M, R)-valuation if SeO R is irreflexive and, for all x G V3, 

e{x): {Se{{x}) ^ A) ^ A. 

Finally, for applying existential (M, i^)- valuations in a uniform manner, we de- 
fine the function e: (V3 ^ ((Vy ^ M) ^ M)) ^ ((Vy A) ^ (V3 ^ A)) 

by ( 6 G V3 — y ((Vy A) — y M) , tt g Vy — y A, x g V3 ) 

e(e)(7r)(*) := |7r). 

Lemma 0.3 Let R be a variable-condition. 

1. Let R' be a variable-condition with RCRh 

For each existential {A, R') -valuation F there is some 
existential {A, R) -valuation e such that e{e) = e{F). 

2. Let a be an existential R- substitution and R' the cr-update of R. 

For each existential {A, R') -valuation F there is some 
existential (M, R)-valuation e such that for all tt G Vy ^ A: 

e(e)(7r) = a o eval(M hJ e(e^)(7r) l+i tt). 

We now define i^- validity of a set of sequents with free variables, in terms of 
validity of a formula (where the free variables are treated as nullary constants) . 

Definition 0.4 (Validity) 

Let be a variable-condition, A a V-structure, and G a set of sequents. 

G is R- valid in A if there is an existential {A, i^)-valuation e such that G is 
(e, M)-valid. 

G is {e^ A) -valid if G is (tt, e, M)-valid for all tt G Vy ^ M. 

G is e^ A)-valid if G is valid in M hJ e(e) (tt) l+i tt. 

G IS valid in A if for all F ^ G: F is valid in A. 

A sequent F is valid in A if there is some formula listed in F that is valid in A. 
Validity in a class of V-structures is understood as validity in each of the V- 
structures of that class. If we omit the reference to a special V-structure we 
mean validity in some fixed class K of V-structures, e.g. the class of all V- 
structures (V-algebras) or the class of Herbrand V-structures (term-generated 
V-algebras), cf. Wirth (1997), Wirth & Gramlich (1994) for more interesting 
classes for establishing inductive validities. 
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Lemma 0.5 (Anti-Monotonicity of Validity in R) 

Let G he a set of sequents and R and R^ variable-conditions with RCRL Now: 
If G IS R^ -valid in A, then G is R-valid in A, 

Example 0.6 (Validity) 

For G V 3 , G Vy, the sequent is 0-valid in any A because we 

can choose Se := VyXVa and e(a?^)( 7 r) := Tr(y^) resulting in e(e) (tt) = 
1^) “ ^(^^)(vv|7t) = Tr(y^). This means that 0- validity of is 

the same as validity of Vy: 3x: x—y. Moreover, note that 6 (e)( 7 r) has access 
to the TT-value of just as a raising function / for x in the raised (i.e. dually 
Skolemized) version /(y^)=y^ of Vy: 3x: x—y. 

Contrary to this, for R := VaX Vy, the same formula x^—y"^ is not 77- valid 
in general because then the required irreflexivity of 5eo77 implies 5e = 0 and 
Itt) = e(a?^)( 0 | 7 r) = e{x^){V) cannot depend on Tr(y^) anymore. This 
means that (V 3 x Vy)-validity of x^—y'^ is the same as validity of 3x\ Vy: x—y. 
Moreover, note that 6 (e)( 7 r) has no access to the tt- value of y^ just as a raising 
function c for x in the raised version c=y^ of 3x\ Vy: x—y. 

For a more general example let G = { Ayo • • | ^C7 }, where for 

j ^ ni and i G 7 the Aij are formulas with free existential variables from x and 
free universal variables from y. Then (V3 xVy)- validity of G means validity of 
3^: Vy: I\ 3j ^ ni: Aij] whereas 0- validity of G means validity of Vy: 3^: 

V/G7: 3j -<ni: Aij. 



1 Weights, Syntactic Constructs, and Counterexamples 

A proposition L can be proved by induction as follows: 

Show that for each counterexample of L there is another counterexample 
of r that IS strictly smaller in a quasi-ordering < in that each < -chain 
[of counterexamples] has a least element! 

Now by the Principle of Dependent Choice (cf. Rubin & Rubin (1985)) a class 
without minimal elements contains a chain without a least element. Thus, if we 
can show the above, we know that L cannot have any counterexamples at all 
and must be valid. 

This paradigm of ITP was already used by the ancient Greeks, rediscov- 
ered by Pierre de Fermat under the name “descente infinie” , and is in our time 
sometimes called “implicit induction” , cf. Wirth & Becker (1995). Moreover note 
that theoretically it is also possible to use the strictly stronger Axiom of Choice 
instead but require only that each < -chain [of counterexamples] has a lower 
bound [being a counterexample], cf. Geser (1995). 

In order to measure our sequents in our induction ordering (i.e. the above 
quasi-ordering for avoiding non-termination in the inductive argumentation), we 
supply them with weights from some set ^Weightb Why these explicit weights 
are so important in implicit induction is explained in Wirth & Becker (1995) 
and more detailed in Wirth (1997), section 12. A weight together with a se- 
quent r forms a syntactic construct (T, 1^). For practical purposes a weight ini- 
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tially is a term • • • , ^n-i) where the yi are the free universal variables 

of r and w is similar to a global (rigid) free existential variable in that it 
can be chosen during the induction proof appropriately, e.g. when the goal is 
'^(^ 1 ,^ 2 ) < '^(^ 2 ?s(ti)) for natural number terms ti a good idea might be to 
choose w to be the addition on natural numbers, or when in another proof we 
have the goals , (ti + ^ 2 )) < '^(s(ti), ti) and , ^ 2 ) < , s(t 2 )) a good 

idea might be to choose w to be the lexicographic combination of length up to 2. 
While in principle also the induction ordering could be chosen for each proof 
differently, in practice it has shown to be sufficient and adequate to use a fixed 
wellfounded quasi-ordering (depending on the S-structures) . E.g. in QuodLi- 
BET, a tactic-based ITP system for clausal logic, we essentially use the size of 
a uniquely denoting constructor ground term in the standard ordering on natu- 
ral numbers, cf. Kiihler (1999). Therefore, we assume that for each E-structure 
^ G K there is some wellfounded quasi-ordering . Furthermore, we assume 
that E contains the binary constant predicate symbol which is interpreted by 
A as , i.e. the ordering of . Furthermore, A should be able to interpret 
the functions constructing the weight terms (lexicographic combination etc.) as 
functions into dom( ). 

Syntactic constructs are the basic data structure for ITP, just like sequents 
or formulas are for the deductive case. The set of all syntactic constructs is 
denoted by ^SynConsk The function dogic’ extracts the logic part (here: the se- 
quents) of a set G of syntactic constructs: logic(G) := dom(G). 

For powerful ITP we have to be able to restrict the test of whether the 
weight of a hypothesis is smaller than the weight of a goal (which has to be 
satisfied for the permission to apply the hypothesis to the goal) to the special 
case semantically described by their logic parts. This can be achieved by consid- 
ering only such instances of their weights that result from those valuations that 
describe invalid instances of their logic parts. A syntactic construct augmented 
with such a valuation providing extra information on the invalidity of its logic 
part in some E-structure A is called a “counterexample” . More precisely, for 
an existential (M, i^)-valuation e we dehne: (S', tt) is an {e^ A) -counterexample 

(for S) if S is a syntactic construct, tt G Vy ^ M, and logic({S}) is not 
(tt, e,M)-valid. Thus, the logic part of a syntactic construct S is (e,M)-valid iff 
S has no (e, M)-counterexamples. Furthermore, our induction ordering is not 
simply a wellfounded quasi-ordering on ^WeighF but actually the function map- 
ping each (e,M), where M is a E-structure from K and e an existential (M, R)- 
valuation, to the wellfounded quasi-ordering on Weight x (Vy A) given by 
(^^, tt) <(e,^) (H, 7T^) if eval(M l±J e(e)(7r) l+i 7^)(^^) eval(M hJ e(e) ( tt^) l+i tt^) (H). 
Finally, we extend the induction ordering to SynCons x (Vy A) by defining 
<(e,.4)((^,2l),7r') if (i^,7r) p, 7 t'). 

Note that our induction ordering is semantic in the sense of Defini- 

tion 13.7 of Wirth (1997) because it cannot depend on the syntactic term struc- 
ture of a weight but only on the value of under the evaluation function. In 
Wirth (1997) we have rigorously investigated the price one has to pay for the pos- 
sibility to have induction orderings also depending on the syntax of weights. For 
powerful concrete inference systems this price is surprisingly high. Furthermore, 
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after improving the ordering information in implicit induction by our introduc- 
tion of explicit weights, the former necessity of sophisticated induction orderings 
that exploit the term structure does not seem to exist anymore. 



Definition 1.1 (Foundedness) (Cf. Wirth & Becker (1995)) 

Let be a variable-condition. Let ^ be a symbol for a single relation. Let 

C SynCons. Now Go is R- strict /quasi- founded on (7L, Gi) (denoted 
by Go\/rw^(i/,Gi) ) if 

V^GK: Ve existential (^, i^)-valuation: VS'gGq: Vtt: 

! ((S', 7t) is an (e, Si) -counterexample) ^ \ 

/ {{S' , 7T^) is an (e. Si) -counterexample) \ 

(( S' eh \\ 

A (5', 7t') <[e,A) (S, 7t) 

S^ G Gi 

, V V V // 

Go is strictly R- founded on H (denoted by Go\f/^L/) if Go \i/^r {R, 0 )- 
Go is (quasi-) R-founded on Gi (denoted by GorvRGi) if Go ( 0 , Gi) 



3Sb 3^^ 



A 



V 



Note that the expressive power of \i/r\R is higher than that of and r\R 
together: ( {S}\rH V {S}r>/^Gi ) implies {S} \/r\R {H , Gi) for S G 

SynCons, but the converse does not hold in general. For an informal but quite 
imaginative introduction to foundedness cf. Wirth (1997). 



Lemma 1.2 

Let R, R^ be variable-conditions; Go, Gi, G 2 , G 3 , Hi, H 2 , H 3 C SynCons. 

1, If GorvRGi and logic(Gi) is R-valid, then logic(Go) is R-valid, too, 

2. If GoCGi, then Gor\RGi. 

3^ If Go^/^Gi\/r>^(LT 2 ,G 2 ), then Go ( 7 ^ 2 , G 2 ) . 

I If Go \/r^R {Hi,Gi) and G2 {Hs,Gs), 

then G 1 UG 2 \/r^R {HiUHs, G1UG3). 

5. In case of RCR' : If Gq/^rGi, then Go^w/^/Gi. 

6 . In case of R' being the cr-update of R for an existential R- substitution a: 

If Gor\RGi, then Gocrr\R/Gicr. 

7. If Hi\/r^R{Hi,Gi), then i/irw^Gi. 

Proof of Lemma 1.2: (1), (2), (3), and (4) are trivial. (5) follows from part 
(1) of Lemma 0.3, ( 6 ) follows from part (2) of Lemma 0.3. (7) relies on the 
wellfoundedness of <(e ,A) ■ 



2 Abstract Inductive Calculi 

Now we are going to abstractly describe inductive sequent and tableau calculi. 
In Wirth (1998) we have shown that the usual deductive first-order calculi are 
instances of the deductive version of our abstract calculi. This will still be the 
case for the abstract calculi below, but in this paper we have to concentrate on 
the inductive part. The main difference to the deductive case is that the sequents 
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are replaced with syntactic constructs, i.e. to each sequent a weight is added for 
controlling the loops in ITP. The benefit of the abstract version is that every 
instance is automatically sound. Due to the small number of inference rules in 
deductive first-order calculi and the locality of soundness, this abstract version is 
not really necessary for deductive calculi. For inductive calculi, however, due to 
a bigger number of inference rules (which usually have to be improved now and 
then) and the globality of soundness, such an abstract version is very helpful, 
cf. Wirth & Becker (1995), Wirth (1997). 

Definition 2.1 (Inductive Proof Forest) 

An inductive proof forest in a sequent (or else: tableau ) calculus is a pair {F,R) 
where 77 is a variable-condition and T is a set of pairs (S', t), where S is a syntac- 
tic construct and t is a tree whose nodes are labeled with syntactic constructs 
(or else: whose root is labeled with a weight and whose other nodes are labeled 
with formulas). 

Note that the tree t is intended to represent a proof attempt for S. In case of 
a tableau calculus the nodes of t are labeled with formulas (the root, however, 
with a weight). In case of a sequent calculus the nodes are labeled with syntactic 
constructs. While the syntactic constructs at the nodes of a tree in a sequent 
calculus stand for themselves, in a tableau calculus all the ancestors have to be 
included to make up a syntactic construct and, moreover, the formulas at the 
labels are in negated form: 

Definition 2.2 (Goals(), Closedness) 

^Goals(T)’ denotes the set of syntactic constructs labeling the leaves of the trees 
in the set T (or else: the set of syntactic constructs (/i,^) with A resulting from 
listing the conjugates of the formulas labeling a branch from a leaf to the root 
(exclusively) in a tree t in T and A being the label of the root of the tree t). 

In what follows, we assume to be some set of axioms. By this we mean that 
is VaXVv-valid. (Cf. the last sentence in Def. 0.4.) 

The tree t is closed if logic(Goals({t})) C A^. 

The readers may ask themselves why we consider a forest instead of a single 
tree only. If we have two trees (S', t), {S' A') G T we can apply S as a lemma or 
induction hypothesis in the tree t' of S' , provided that the lemma application 
relation is acyclic and the application of the hypothesis produces a goal that 
expresses that the instance of the hypothesis is smaller than S' in the induction 
ordering. 

Definition 2.3 (Inductive Invariant Condition) 

The inductive invariant condition on (F, R) is 77r>/^Goals(ran(F)) for the set 
of hypotheses H := dom(F). 

From Lemma 0.5 and Lemma 1.2(1) we immediately get: 

Theorem 2.4 Let the inductive proof forest {F,R) satisfy the above inductive 
invariant condition and set H := dom(F). 

If all trees in ran(F) are closed^ then logic(77) is R-valid. 




Full First-Order Free Variable Sequents and Tableaux in Implicit Induction 301 



Note that, contrary to the deductive case, local argumentation on a single tree 
is not possible: If {S,t) G N, {F, R) satisfies the inductive invariant condition, 
and t is closed, we do not know that logic({5}) is valid because we may have 
applied some induction hypothesis S' G H\{S} when constructing the proof 
tree t of 5 and the proof tree of S' is not closed. In other words, all trees in the 
forest must be closed before we know that any hypothesis in logic(iT) is valid. 

Theorem 2.5 The inductive invariant condition is always satisfied when we 
start with an empty inductive proof forest {F,R) := ( 0 , 0 ) and then iterate only 
the following kinds of modifications of {F, R) (resulting in {F' , R')): 

Hypothesizing: Let R' be a variable-condition with RCR' . Let Let (T, 
be a syntactic construct. Let t be the tree with a single node only, which 
IS labeled with {L,‘F) (or else: with a single branch only, such that L is 
the list of the conjugates of the formulas labeling the branch from the leaf 
to the root (exclusively) and is the label of the root). Then we may set 
F' := 

Expansion: Let R' be a variable- condition with RCR'. Let {S,t) G F and 
H := dom{F). Let I be a leaf in t. Let be the label of I (or else: 

A result from listing the conjugates of the formulas labeling the branch from 
I to the root (exclusively) and H be the label of the root of t). Let G he a 
finite set of syntactic constructs (or else: let M be a finite set of seguents 
and set G := { {RA, H) | RcM }). Now if {{A, 2 )} \/n.w {R, G) then 
we may set F' := {F\{{S,t)}) U {(*5, where t' results from t by adding 
to the former leaf I, exactly for each syntactic construct S' in G, a new child 
node labeled with S' (or else: exactly for each sequent R in M a new child 
branch such that R is the list of the conjugates of the formulas labeling the 
branch from the leaf to the new child node of I ). 

Instantiation: Let a be an existential R- substitution. Let Lfi be the cr-update 
of R. Then we may set F' := Fa. 

Proof of Theorem 2.5: The empty proof forest satisfies the inductive in- 
variant condition by Lemma 1.2(2). Hypothesizing: From 7Trw/^Goals(ran(T)) 
we get 7Trw/^/Goals(ran(T)) by Lemma 1.2(5) for R dom(T). Thus, 
from {(T, {(T, 1^)} (by Lemmal.2(2)) we get RU {(T,l^)} r\Rf 

Goals(ran(T))U{(T, 1^)} by Lemma 1.2(4), i.e. 7L^rw/^/Goals(ran(T^)) for R' := 
dom(T^). Expansion: {(Z\, H)} (7L, G) and (Goals(ran(T))) \ {(Z\, H)} 

(Goals(ran(T))) \ {(Z\,n)} (by Lemma 1.2(2)) give Goals(ran(T)) 
{RjG') for GG= (Goals(ran(T))\{(Z\, n)})UGby Lemma 1.2(4). From 
the old invariant condition iTr>/^Goals(ran(T)) we get Goals (r an (T)) 

by Lemma 1.2(5), and then by Lemma 1.2(3) conclude R\i/rvRf {R,G'). Thus, 
by Lemma 1.2(7) we have RcxriG' , and then from G^rw/^/Goals(ran(T^)) 
(due to Lemma 1.2(2)) we get Goals (r an (T^)) due to Lemma 1.2(3), 

which is the new invariant condition on {F' , R') due to 77 = dom(T^) = dom(7^^). 
Instantiation: From the old invariant condition 77r>/^Goals(ran(7^)) for 77 := 
dom(T^) we get R a r\R/ Go als{r an {F a)) by Lemma 1.2(6), which is the new 
invariant condition on (7^^, 77^) due to dom(7^^) = dom(7^)(j = 77(j. □ 
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Now the crucial step of implicit induction (i.e. the application of an induction 
hypothesis {F, instantiated with a substitution g to expand a goal can 

be formulated as an Expansion step in the tableau calculus (sequent calculus 
analogously) as follows. 

Theorem 2.6 Let (F^R) be an inductive proof forest in a tableau calculus. 
We want to apply [F, ^^) G := dom(N) as an induction hypothesis to expand 
the goal (Z\,n) that results from listing the conjugates of the formulas and the 
weight labeling the branch from a leaf I to the root of a treet G ran(N). Set X := 
V,((E,b^)) and Y := { y G Vv((/^, ^^)) | Xx{y} CR}. Let g E Y ^ {V^\V^{F)) be 
an injective substitution. Now the following instantiation of R' and M describes 
a sub-rule of the Expansion rule of the tableau calculus of Fheorem 2.5: Set 
R^ := R and set M to be the set containing the seguents and Bg for each 

formula B listed in the seguent F. 

Note that Y contains exactly those free universal variables of (Y, that have no 
free existential variables in their scopes when imagining any list of quantihers for 
all free variables of (Y, ^^) that represents (a superset of) R. The variables in Y 
are those on which no solution for the free existential variables in X depends. 
Therefore, the variables in Y are those which we can instantiate when applying 
the induction hypothesis (Y, b^). Although it does not seem impossible to use 
more variables for induction, this does not seem to be necessary; especially be- 
cause we can extend R with Xx{y} in order to instantiate y when applying the 
induction hypothesis. Moreover, I do not known any more general approach in 
the literature. E.g., in Baaz & al. (1997), the inductive part of theorem proving 
is triggered by application of a d-rule and the variable y of the quantiher re- 
moved by the d-rule becomes the induction variable. In our approach, the d-rule 
application would replace y with a new free universal variable y'^ and extend the 
variable-condition with Xx{y^} such that y'^ EY would hold. 

Proof of Theorem 2.6: According to the definition of an Expansion step 
in the tableau calculus of Theorem 2.5 we have to show {(Z\,n)} \i/r\R 
(77, { (AZ\,n) I AeM }). Thus, for M G K, e an existential (M, Y)- valuation, 
7T G Vv ^ M, assume ((Z\, H), tt) to be an (e, M)-counterexample. If some formula 
A G M is not (tt, e, A)-valid then also ((AZ\,n),7r) is an (e, A)-counterexample 
with ((AZ\, H), tt) ^(e,^) ((2i? ^)j ^) • Otherwise, ‘Rg<'3 is but F g is not (tt, e, A)- 
valid. Define tt^ G Vy ^ A by 

N{y) := e(e)(7r)(£»(y)) for yGY and N {y) := 7r{y) for y G Vy\Y. 
Claim 1: Eor E Vb((Y, 1^)) we have e(e)(7r)(a?^) = e(e)(7r^) (a?^). 

Proof of Claim 1: Otherwise there must be some y'^ EY with y'^ Se • Since 
E N we have x^ R y^ by definition of Y. But then S^o R is not irrefiexive, 
which contradicts e being an existential (Y, A)-valuation. Q.e.d. (Claim 1) 
Hence, the values of Y and under eval(A C 6(e)(7r^) l+i tt^) are the same as 
the values of Y and under eval(A C 6(e)(7r) l+i tt^) which again are the same 
as the values of Y ^ and \\g under eval(A C 6(e)(7r) l+i tt) by the Substitution- 
Lemma. Thus, on the one hand from the (tt, e. A)- validity of we get 

((Y, ^^), N) <{e,A) oil ^^he other hand from Y g not being (tt, e, A)- 

valid we know that ((Y, ^^),7^^) is an (e, A)-counterexample. □ 
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3 An Example 



Due to limited space we are not able to show the usefulness of our integration 
of free existential variables and full hrst-order formulas into implicit induction 
with a sophisticated example. Instead, we will sketch a simplified toy example 
with mutual induction that will give the reader a concrete idea on how proofs 
look like. Note, however, that (due to mutual induction and non-trivial weights) 
even this toy example has no straightforward proofs in the ITP calculus of Baaz 
& al. (1997) or any known ITP system with the exception of QuodLibet, cf. 
Kiihler (1999). 

In order not to require even more prerequisites, we do not explicitly refer to 
our inductive specification techniques described in Kiihler & Wirth (1996), but 
use a standard (order-sorted) first-order specification style. 

Signature: Sorts: natCORD. Here nat is the sort of natural numbers and 
ORD the sort for the induction ordering. We use zero 0: nat and successor s: 

nat nat as constructors for the sort nat. Moreover, P: nat and Q: nat, nat are 
two defined predicates on the natural numbers. Furthermore, <: ORD, ORD is the 
induction ordering and lex: nat, nat, nat ORD is the lexicographic combination 

of length 0, 1, or 2 as indicated by the first argument, e.g. lex(s(0) , a?, y) models 
the 1-tuple (x) while lex(0,a?,y) models the 0-tuple or empty word (). We use 
z for variables of the sort nat where superscripts like ^ x'^ indicate free 
existential and free universal variables. Axioms: 



(lexO) 

(lexl) 

(Iex2) 

(natO) 



Mxi, 

j ^ 1 5 



yo,yi, 



\!xo,xi,y,zo,zi 

yx 



lex( 0 , yo, ^o)<lex(s(a^i), yi, zi) 
(lex(s(^ro), yo, 2:o)<lex(s(xi) , , Zi) 

lex(s(^ro), y, 2:o)<lex(s(xi), y, Zi 
lex(^To, ^0, 0)<lex(^Ti, zi, 0) 
(^r=0 V 3y: x=s{y)) 



yo<yi 



(lexO) says that the empty tuple is the smallest, (lexl) implements a comparison 
of the first tuple elements, and (Iex2) discards identical first tuple elements. 
(natO) says that any natural number is zero or the successor of another natural 
number. The following axioms define the special predicates of our example. 



(PO) 




P(0) 


(PI) 


yx : 


(P(s(;r)) (P(ic) A Q(*,s(;c)))) 


(QO) 


yx : 


Q(*,0) 


(Qi) 


yx,y: 


{Q{x,s{y)) {Q{x,y) A P(*))) 



We want to show Va?: P(a?) and Vy,z: Q(y,z). We first do a tableau cal- 
culus proof. We start with the empty forest. Two Hypothesizing steps pro- 
vide us with the hypotheses {P{xq);\n^{xq)) with single-branch tree (1) \n^{xq)^ 

(1.1) -'P(»o); and (Q(t/J,zJ);w^(t/J,zJ)) with single-branch tree (2) 

(2.1) -iQ(yQ,ZQ). Note that the first number in the preceding list is the number 
of the proof tree (indicating its root node) and a suffix denotes the step to 
the child node. Since the formulas of the specification are implicitly on all 
branches, we can use (natO) to add to (1.1) the children (Tq = 0 and Xq = s()r{) in 
an Expansion step with variable restriction ((To, 3?{). An Instantiation step with 

(which a concrete inference system should do immediately together 
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with the preceding Expansion step) gives ns the new tree (1.1.1) a?Q = 0, (1.1.2) 
Xq = s(a?{). Rewriting copies of (1.1) with these children in two Expansion steps 
yields (1.1. 1.1) ~'P(0), (1.1. 2.1) -iP(s(a?^)). By (PO) we can close the hrst branch 
with (1.1. 1.1.1) P(0). By (PI) we can add (1.1. 2. 1.1) P(s(a?{)) (closed), 

(1.1. 2. 1.2) -iP(a?^), (1.1. 2. 1.3) -iQ(a?^, s(a?^)) . Now, after these standard first- 

order tablean steps we do an induction hypothesis application step as de- 
scribed in the previous section. We apply the hypothesis (P(^Tq) ; WQ(a?Q)) with 
substitution g := to (1.1.2. 1.2), resulting in the new children 

P(a?f) and WQ(a?f )^Wq(xq) , where \n^{xq) comes from the root (1) and ^ is 
the negation of <. After instantiating we get (1.1. 2. 1.2.1) P(a?{) 

(closed) and (1.1. 2. 1.2. 2) \n^{xi)<^\n^{xq) . Note that the only difference to 
an Extension step in Model Elimination tableaux (cf. Baumgartner & al. (1997)) 
lies with the additional child (1.1. 2. 1.2. 2), which asks us to show that the in- 
stance of the hypothesis is smaller than the weight of our proof tree. Indeed: 
Hypothesis application differs from the standard lemma (or axiom) application 
only in producing an additional ^-goal. This makes hypothesis application a 
little more expensive than lemma application. Similarly, we apply the induc- 
tion hypothesis (Q(^q , Zq) ; w^(yQ , Zq )) with substitution g := 

to (1.1. 2. 1.3), which after instantiation with ZQi-^s(a?{)} results 

in (1.1. 2. 1.3.1) Q(x{,s(a?{)) (closed) and (1.1. 2. 1.3. 2) w^(a?{ , s(a?{))^WQ(xo) . 
Rewriting the leaves of the open branches in place with (1.1.2) we get 

(1.1. 2. 1.2. 2) Wg(a?i)^WQ(s(a?i)) and (1.1. 2. 1.3. 2) w^(a?i , s(a?i))^WQ(s(a?i)) . Expand- 
ing the tree (2) analogously to the tree (1) we get as leaves of the open branches 

(2. 1.2. 1.2. 2) w^{yl,zl)^w^{y^,s{zl)) and (2. 1.2. 1.3. 2) w„(t/J)^wJt/J,s(z^)). Now 

both hypotheses have been applied in both trees. Next, we choose our weight 
functions in such a way that we can close both trees: Wq(x) := lex(s(0), a? , 0) 

and w^(y,z) := lex(s(s(0)) , y, z). Applying (lexO), (lexl), (Iex2) to the resulting 
leaves in the standard fashion results in x\^s[x\) and Zi^s[zi) as the leaves of 
the only open branches. Einally, these branches are closed by comparing the size 
of a uniquely denoting constructor ground term: A branch containing a literal of 
the form is closed if the number of occurrences of each free variable in to 

is not bigger than the number of occurrences of that variable in ti, the size of to 
is strictly smaller than the size of ti, and to, t\ are pure constructor terms. Cf. 
Kiihler & Wirth (1996) for the notion of “constructor term” and for the models 
where our induction ordering is wellfounded indeed. 

We may ask: Which steps in this proof were typical for ITP in the sense 
that their soundness relies on notions of inductive validity instead of the stronger 
notion of deductive (first-order) validity? Besides the four induction hypothesis 
applications, the final branch closure rules are typical for induction because they 
require that, in all models in K, the successor of each natural number is different 
from that natural number and each natural number is built-up from zero by a 
finite number of successor steps (i.e. there are neither cycles nor ^-chains in the 
models, cf. Enderton (1973)). Other steps typical for induction but not applied 
in this example are narrowing steps to solve equality literals. Their soundness 
relies on the freeness of the models in K. (Note that narrowing in ITP relies on 
confluence but not on termination of the reduction relation of the specification. 
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cf. Wirth (1997).) Moreover, ITP often is only snccessfnl when one tries to show 
theorems that are more general than the ones one initially intended to show. 
This is because an inductive theorem is not only a task (as goal) but also a tool 
(as induction hypothesis) for ITP. This generalization is unsafe in the sense that 
it may transform a valid hypothesis into an invalid one [over-generalization) , 
Therefore, generalization should not be modeled in Expansion steps within a 
tree. Instead, the generalized sequent should start a new tree (Hypothesizing 
step) and be later applied to the original tree as an induction hypothesis or 
lemma. Since a valid input theorem may result in an invalid goal due to over- 
generalization, the ability of an ITP system to detect invalid goals is important 
under a practical aspect. When all Expansion and Instantiation steps in a tree 
are known to be safe, the detection of an invalid goal in the tree implies invalidity 
of the hypothesis of this tree, which then should be completely removed from 
the proof forest. 

Now we are going to compare the above tableau calculus proof with a cor- 
responding sequent calculus proof of the same hypotheses. Of course, we could 
simply transform the tableau trees into sequent trees by bottom-up replacing 
the label of each node with the syntactic construct listing the conjugates of the 
formulas and the weight labeling the (partial) branch from this node to the root, 
and finally removing the root part of the tree where the nodes are ancestors of 
a node of the initial Hypothesizing steps (here: removing the root nodes). This, 
however, would mean to pay the price for sequent calculi (i.e. multiplying the 
number of formulas labeling each proof tree with at most nearly the depth of that 
tree) without using the advantages of sequent calculi. Thus, let us start again 
with the hypotheses (P(^Tq); w^^(xq)) and (Q(^q , Zq) ; w^(yQ , Zq )). The single-node 
tree for the former is (1) P(a?o); Note that the goal in the tree is iden- 

tical to the hypothesis, contrary to the tableau version where the two differ in 
duality and locality. While this is not a hindrance for completely automatic ITP 
systems, it poses considerable practical problems in systems where user-guidance 
is possible: The primitive process of switching duality is a typical source of errors 
for human beings (or me at least). Perfectly analogous to the tableau proof we 
get the children P(^o)j '^o(^o) '^o(^o)* Con- 

trary to the tableau proof we are now able to rewrite the literal inherited from 
the parent node in place without copying it. Note that in tableau proofs an 
equality literal can be used to rewrite formulas of its offspring in place, whereas 
it must copy ancestor formulas beforehand down to its offspring because the 
ancestor is also part of other branches that do not include the equality literal. 
Moreover, the weight term can be rewritten as well, which again is not possible 
in the tableau version where the weight is at the root node. After rewriting we 
get P(0); w^^(O) and XQf^s[xf), P(s(a?^)); Wj^(s(a?^)). Since the equal- 

ity literals are in solved form for the variable Xq that does not occur elsewhere 
in the syntactic constructs, we know that validity cannot rely on this literal. 
This means that we can safely remove both equality literals resulting in (1.1) 
P(0); Wq(0) and (1.2) P(s(a?{)); WQ(s(a?{)). Removing redundant formulas is the 
most important simplification step besides contextual rewriting. It seems to be 
impossible in tableau trees unless the redundancy of the formula is due to the 
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ancestor nodes only, which only is the case for nseless formnlas that shonld not 
have been added at all. In Wirth (1997) and in QuodLibet (cf. Kiihler (1999)) 
the Expansion from (1) into (1.1) and (1.2) is done by a single inference step 
applying a so-called “covering set of snbstitntions” . Note that the present state 
of the seqnent proof is much simpler than the corresponding state of the tableau 
proof. The former consists of the nodes (1.1) and (1.2) and has two formulas 
and one variable. The latter consists of a six node tree with five formulas and 
two variables. This is of practical importance because tactics for proof search 
are more easily confused with less concise proof state representations. The rest 
of the whole sequent proof is analogous to the tableau proof with the exception 
that all rewrite steps are omitted since there are no equality literals to rewrite 
with and the terms are already in normal form. 

Another possibility restricted to sequent calculi is that each syntactic con- 
struct labeling a node in the trees can be applied as an induction hypothesis. 
We do not see a real advantage in this because splitting the tree in two above 
such an induction hypothesis results in a better structure of the proof forest 
and in more successful proofs because we can adjust the syntactic construct 
appropriately: Suppose we had not started a new proof tree for the hypothesis 
for Q but instead kept the hypothesis for Q down in the tree (1) at position 
(1.2.3). Several unsafe generalization steps would have been necessary before 
Q(a?{, s(a?{)), P(s(a?{)); \N^{s{xi)) would have become useful as an induction 
hypothesis, namely removing the second formula, generalizing s(x^) to a new 
variable, and switching to a weight that measures also this new variable. More- 
over, in practice one should not apply the hypothesis for Q in the tree for P 
before it is obvious that the tree for Q mutually needs the hypothesis for P: 
Most of the time a proof for Q can be completed in a proof forest not containing 
the tree for P. In this case, not only the number of trees in the proof forest for Q 
gets smaller, but also the tree for P because Vy, 2 :: Q(y, z) can then be applied 
as a lemma and not as an induction hypothesis, which cuts off the ^-branch of 
the proof tree of P. 

4 Conclusion 

We have shown how to integrate implicit ITP into first-order sequent and tableau 
calculi. The following aspects are novel compared to the concrete implicit in- 
duction calculus of Wirth (1997): The tableau presentation, the possibility to 
use full first-order formulas instead of literals only, and the important addi- 
tion of free existential variables, i.e. the “dummies” of Prawitz (1960), mak- 
ing the major difference between the free variable calculi of Fitting (1996) and 
the calculi of Smullyan (1968). Contrary to Baaz & al. (1997) we really inte- 
grate implicit induction: When we start an inductive proof we do not restrict 
the applicable induction hypotheses. We can do mutual induction and invent 
completely new induction hypotheses, which can be full first-order sequents 
instead of literals only. Moreover, we can also generate induction hypotheses 
eagerly in the style of explicit induction, which enables goal-directedness w.r.t. 
induction hypotheses. All this is not possible in the calculus of Baaz & al. (1997). 
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Furthermore, we exemplified that although tableau calculi may save rep- 
etition of formulas, sequent calculi have substantial advantages: Rewriting of 
formulas in place is always possible, and we can remove formulas that are re- 
dundant w.r.t. the other formulas in a sequent. Note that formulas like (natO) 
make equality omnipresent in induction and that these simplification steps are 
even more important in inductive than in deductive theorem proving: Not only 
do they play a role in the generation of appropriate induction hypotheses; they 
are an essential part of the failure detection process that has to compensate for 
over-generalization of induction hypotheses in addition to the detection of invalid 
input theorems. Finally, the presence of two dual versions of each hypothesis in 
inductive tableau calculi makes proof guidance by human users more difficult. 
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Abstract. This paper describes WinKE, an interactive proof assistant, 
which is based on the KE calculus. The software has been designed to 
serve as a tutoring system supporting the teaching of logic and theorem 
proving through KE. 



1 Introduction 

The KE calculus [4] is a refutation system close to the common method of 
semantic tableaux. The main difference between the two is, that KE is explicitly 
not cut-free. Its analytic cut rule, PB, is the only branching rule of the system. 
Elsewhere [3] it has been argued that KE might be better suited for teaching 
elementary classical logic than for instance Tableau. The first logic textbook 
based on KE has been published recently [5]. 

Even though KE proofs are essentially shorter than Tableau proofs [3,4], the 
traditional way of manually building up such trees is - within the teaching con- 
text - hardly feasible for examples exceeding, say, five branches, and is in general 
very time consuming and error-prone. The use of a proof assistant with a strong 
graphical user interface can help to overcome such problems. It may be used for 
demonstration purposes during classes or as an interactive learning environment 
for students working on their coursework. WinKE has been designed to meet 
those requirements. First of all, it serves as a ‘drawing board’ for constructing 
KE proof trees. On top of that various levels of user support are provided, rang- 
ing from basic bookkeeping facilities to a fully automated theorem prover for 
propositional and first order logic. WinKE’s design was strongly inspired by the 
work described in [6]. The program runs under Windows and has been imple- 
mented in LPA WinProlog. 

In the sequel WinKE’s interface and its most important features are described. 
The last section briefly compares WinKE with other programs of similar objec- 
tives. 

2 Interface and Graphic Tools 

WinKE’s interface consists of four windows (see Fig. 1), all of which are opened 
after the program has been started. The large window is used to display the cur- 
rently active proof tree. Whenever a particular action requires a specific formula 
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to be selected, this is done by clicking on that formula on the tree using the 
mouse. In what way the system will react on such a selection depends on the 
graphic tool chosen. A graphic tool can be selected from the graphic tool box, 
just as in any standard graphics software for Windows. The main window con- 
tains all the menus to call dialogues for the user’s interaction with the program. 
The buttons on that window provide shortcuts to menu options likely to be used 
frequently. Finally, the window in the lower left-hand corner can be used as a 
viewer to navigate around large proof trees that do not fit onto a single screen. 

Proof trees displayed in the graphic window consist of graphical objects, 
which are either formulae or so-called branch markers used to refer to a certain 
branch of a tree. A branch marker is either represented as a circle (for open 
branches) or as a cross (for closed branches), placed below the last formula of 
that branch. Every formula is associated with a certain number, which can be 
used to refer to parent formulae. 

The default graphic tool is the select tool. Clicking on a formula or a branch 
marker with the select tool will highlight that object. The user may then choose 
a particular action (by choosing a menu option) to be applied to the selected 
objects. This will typically be an application of a KE rule. Where necessary the 
user is prompted for further input (via a dialogue), e.g. the conclusion of a rule 
application. Then the tree is expanded accordingly. The formulae on a tree are 
automatically grouped in a space-saving and ‘aesthetic’ way, thus making sure 
the user can concentrate on the semantics of a proof tree, instead of its layout. 
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Two different graphic tools to delete formulae from a tree are provided, the 
delete and a retract tool. The former simply prunes the tree at the clicked formula, 
whereas the retract tool only deletes those formulae that logically depend on the 
clicked one, i.e. that could not have been derived without that formula being on 
the same branch. This is completed by a standard ‘undo’ option available from 
the menus. 

The hint tool applied to an open branch marker will highlight ah formulae 
that have not yet been analysed on the associated branch. Vice versa clicking 
a formula will highlight all open branch markers denoting a branch which that 
formula has not yet been analysed on. Finally, the bookkeeping tool will display 
the bookkeeping information available for each node. If that node is a formula, 
the bookkeeping information consists of the KE rule used to derive it, the parent 
formula(e), and possibly the sibling formula. In addition, formulae that are either 
analysed or subsumed on ah open branches are marked. If the node clicked on 
is a closed branch marker, the bookkeeping tool reveals which pair of formulae 
has been used to close that branch. The button showing a question mark can be 
used to enter the WinKE help system directly at the section on graphic tools. 

3 Deduction and Countermodels 

Typically WinKE is used to perform a step-by-step deduction. The system pro- 
vides three different modes, namely the supervisor, the pedagogue, and the as- 
sistant mode. In supervisor mode within the rule application dialogues (for an 
example see Fig. 2) any (syntactically correct) input is accepted, whereas in 
pedagogue mode the correctness of the rule applications is checked on-line. The 
same is true for the assistant, but here the user’s input is reduced to a minimum. 
That means, for the simple rules (the propositional ones apart from PB)^ no 
input of the conclusion (s) is required as their derivation is straightforward given 
the premise(s). For the other rules the system gives a list of possible inputs to 
choose from (alternatively, the user may also type in a formula). In case the 
supervisor mode has been used, WinKE also provides off-line proof checking. This 
will display all errors on a tree in turn and allow to retract the wrong formu- 
lae directly. For novice users the pedagogue mode will be the most useful one. 
After some training, possibly in an exam-like context, the supervisor mode may 
be used. Once a student is familiar with the basics, the assistant mode provides 
a comfortable way for studying KE more profoundly, for example by comparing 
different ways of proving the same theorem. 

For the on- as well as for the off-line checking the user may choose the level of 
error reporting. Only the very basic KE rules are checked in any case, in addition 
you may or may not add checking for beta simplification (subsumption), analytic 
application of PB, and/or checking of the order of rule applications (like for 
example: analyse an alpha formula before you split a branch using PB, etc.). 

In particular to make the system a more convenient assistant, but also to be 
able to demonstrate proofs to novice users, the option to automatically derive 
(parts of) proofs has been added. You can either ask WinKE to perform the next 
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Fig. 2. Applying a Beta Rule 



proof step on a selected branch automatically, to finish a branch, or to complete 
an entire proof. 

For consistent sets of formulae, i.e. if there are open branches that cannot 
be closed, WinKE can automatically derive the description of a countermodel. 
Moreover, for certain classes of problems a graphical visualization of a counter- 
model may be displayed. If for instance the countermodel just contains a single 
2-ary predicate and the number of terms appearing is limited, the positive atoms 
in the model can be represented as edges in a graph. Another example where 
visualization is possible is the class of (simple) ‘pigeon hole’ problems. 

4 Additional Features 

KE problems are saved in files, either as problems, proofs, or incomplete proofs. 
Within the program you can jump between different problems of the same file. 
Problem files are edited in the same environment as they are worked on. You 
have the option to cut and paste from existing problems when defining new ones. 
This offers a comfortable way for teachers to write up and test new exercises. 
Students could be encouraged to make their own experiments trying different 
sets of formulae. 

Every problem is associated with a text of arbitrary length. Also that text 
can be edited and read directly within WinKE. In the context of a student ex- 
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ercise it might contain hints for finding a solution or a reference to a page of a 
textbook. Other features available include printing and generating descrip- 

tions of proof trees. Parts of the functionality of WinKE can be made password 
protected, for example to disable automated proving, the assistant mode, or the 
proof checker. The tool is completed by a comprehensive on-line help system. 



5 Conclusion 

WinKE’s principal task is to support teaching in the context of an introduc- 
tory course on elementary classical logic. The software is complementary to the 
logic textbook [5], which is based on KE. Evaluation copies of the software are 
available on request. 

Other logic tutors include popular programs like Tarski’s World [1] and Hyper- 
proof [2]. Using Tarski’s World students are asked to verify first order formulae 
stating propositions about simple worlds inhabited by geometric objects, but 
unlike WinKE the program does not deploy a systematic proof procedure. Hy- 
perproof is used to construct proofs of statements about that same geometric 
world applying a natural deduction like calculus. As it is restricted to examples 
of that particular domain it is difficult to be compared with WinKE. WinKE 
has been designed to simulate an existing proof procedure. In that sense it is 
supportive of the teaching process. For Hyperproof, on the contrary, teaching is 
more likely to be centered around the software. 

The Tableau II program [7] is based on semantic tableaux and therefore much 
closer to WinKE than the other two systems. As far as interface and usability 
are concerned WinKE clearly offers noticeable advantages over Tableau II. 
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Abstract. We present a proof procedure based on the KE calculus for 
propositional logic and its implementation as a short Prolog program. 
The procedure’s time complexity is discussed and compared to that of 
an efficient Tableau based prover. 



1 Introduction 

The KE calculus [2] is a refutation system close to Tableau. The crucial feature 
that distinguishes the former from the latter is the integration of an analytic cut 
rule {PB). Even though some sort of ‘superiority’ of KE over Tableau in terms 
of proof size has been stated in the literature, until now no implemented KE 
based proof procedure can compete with state-of-the-art Tableau pro vers as far 
as runtimes are concerned. 

The aim of this work has been to close that gap, at least for the case of clas- 
sical propositional logic. As a benchmark we take leanT^ [1], a dean’ Tableau 
based theorem prover implemented in Prolog, which is simple and efficient. As 
leanT^ was build for first order logic we will first reduce it to a propositional 
prover in order to guarantee a ‘fair competition’. Then a KE based proof pro- 
cedure is designed in a similar fashion. The problems naturally arising during 
such a transformation are addressed and - where possible - solved. We conclude 
with an experimental comparison of the two procedures. 

2 Space and Time 

In [2] it has been shown that KE linearly simulates the Tableau method, whereas 
the latter cannot p-simulate KE, in other words: KE proofs are basically shorter 
than Tableau proofs. This is in fact true - with respect to space - for ‘ideal’ 
(again, with respect to space) proof procedures. 

But, from that observation alone, we cannot conclude, that for a specific 
problem the KE deduction is also faster the Tableau deduction. Apart from 
the space complexity results also the following points need to be considered: 

— The time taken by a proof procedure depends on the number of derived 
formulae and on the time required to derive one such formula. In a KE 
based procedure an application of a beta rule takes much more time than 
any step (apart from closing a branch) in a Tableau prover. 
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— KE has more rules than Tableau. A proof procedure has to check which 
rule to apply to a given formula. As there are fewer possibilities in Tableau, 
the checking will be faster in that setting. 

— A fast prover is not necessarily ideal with respect to space. leanT^P for 
instance does not build up a minimal proof tree, but still is very time 
efficient. 



3 A Tableau Procedure for Propositional Logic 

The Prolog program leanT^ as defined in [1] implements a small theorem prover 
for first order logic, based on free- variable semantic tableaux. Table 1 shows an 
adaptation for propositional logic, which we call tap.^ Like the original, tap is 
restricted to negation normal form (A7VF), i.e. negation has to be pushed down 
to the atomic level before deduction starts. 



tap( (A,B), Fmls, Lits) !, ®/o apply alpha 

tap( A, [BlFmls], Lits). 

tap( (A;B), Fmls, Lits) !, % apply beta 

tap( A, Fmls, Lits), !, 

tap( B, Fmls, Lits). 

tap( Lit, _, Lits) % close branch 

(Lit = -(C) ; -(Lit) = C) -> member( C, Lits). 

tap( Lit, [FmllFmls], Lits) :- % next formula 

tap( Fml, Fmls, [Lit | Lits]). 

Table 1. leanT^ for propositional logic 



To obtain tap from leanT^ the clauses handling quantified formulae have 
been omitted and the clause for closing branches has been simplified as no occur 
check is necessary. Due to the nature of these simplifications, it is clear that tap 
will be slightly faster than leanT^ for propositional logic. 

4 Designing the KE Proof Procedure 

In KE proof trees are constructed in a similar way to the Tableau method. Alpha 
rules and the notion of a closed branch are identical for both calculi. KE beta 
rules are linear and take two premises. For example from A\J B and we can 
infer B. Unlike Tableau, KE is not cut- free. Following the principle of bivalence 
(PB) a branch may be split adding a formula A to the left and its negation ^A to 

^ The provers described in this paper can handle conjunction, disjunction, and nega- 
tion, which have been represented in Prolog as U’, ^ l \ and respectively. 
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the right branch. For analytic KE the choice for such P5-formulae is restricted 
to subformulae of beta formulae that are already on the branch to be split [2]. 

When trying to follow the lines of tap’s design to construct a KE based 
theorem prover (for propositional formulae in NNF) we encounter the following 
problems: 

— If PB is applied to a non-atomic subformula, its negation will not be in 
NNF. On the other hand we cannot simply restrict PB to literals, as the 
remaining calculus would not be complete. 

— The most time consuming steps during proof search are those where you 
have to search a list for a matching formula, i.e. closure (both calculi) and 
KE’s beta rules. For closing branches it is possible to restrict this search to 
complementary literals. It would be nice to have a similar restriction for the 
search of complements of minor premises for beta formulae. Unfortunately, 
KE is not complete if beta rules can only be applied to literals as minor 
premises. 

To overcome those difficulties we introduce an adaptation of KE, which we 
will call KE*. Informally we obtain KE* from KE by restricting the application 
of beta rules to literals as minor premises, with one exception: directly after 
every application of PB the next (obvious) application of beta is performed in 
any case. For example, if PB is applied to A, the left subformula of AV B, then 
write A on the left branch, and ^A and B on the right one (whether A is a 
literal or not). KE* is restricted to formulae in NNF. The problem addressed 
before, namely that PB can produce non-NNF formulae is solved by immediately 
transforming the negated P5-formula into NNF. KE* is easily shown to be sound 
and complete (via a ‘reduction’ to KE and Tableau, respectively). 

The simplest transformation of tap into a KE* proof procedure would only 
involve replacing the Tableau beta rule with the two beta rules for KE* (one 
for the left and one for the right subformula) and the new PB rule. This proce- 
dure can be improved by holding back beta formulae unless there are no more 
unexpanded alpha formulae on the branch. 

A Prolog implementation of this procedure, which we call kep, is shown in 
Table 2. The alpha rule is the same as for tap. So is the clause which moves the 
active literal into the lists hits and puts the next unexpanded formula into focus 
(‘next formula’). The second clause does the ‘storing’ of beta formulae: they are 
temporarily stored in the list Betas and the next formula is tackled. The last 
clause takes the first element of that fist of beta formulae and puts it into focus, 
if there are no more unexpanded formulae left in the main list Fmls. Also the 
implementation of the beta rule for the left subformula is straightforward. An 
attempt to apply beta is only made if the left subformula A is a literal. For 
the second beta rule things are more complicated. If the left subformula A is 
also a literal, we already know that the complement of A is not on the branch 
(i.e. in hits). Otherwise beta would have been applied to it before. Because 
the conclusion of the beta rule is A, the next step would be to try to close the 
branch using A, i.e. to search hits again. As we do not want to repeat this time 
consuming search, which is bound to fail anyway, that step can be omitted; A can 
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kep( (A,B), Fmls, Betas, Lits) !, % alpha 

kep( A, [BlFmls], Betas, Lits). 

kep( (A;B), [Fml | Fmls] , Betas, Lits) !, % store beta 
kep( Fml, Fmls, [ (A; B) | Betas] , Lits). 

kep( (A;B), [] , Betas, Lits) % apply beta: left 

(literal ( A) -> ( (A = -(C); -(A) = C) -> member ( C, Lits))), !, 
kep( B, [] , Betas, Lits). 

kep( (A;B), [] , Betas, Lits) % apply beta: right 

(literal ( B) -> ( (B = -(C); -(B) = C) -> member ( C, Lits))), !, 
(literal ( A) 

-> Betas = [Beta I Rest], kep( Beta, [] , Rest, [A | Lits]) 

; kep( A, [] , Betas, Lits)). 

kep( (A;B), [] , Betas, Lits) :- !, % apply pb 

(literal ( A) 

-> Betas = [Beta I Rest], kep( Beta, [] , Rest, [A | Lits]) 

; kep( A, [] , Betas, Lits)), 
imf( -(A), NNF), !, 

(literal ( B) 

-> kep( NNF, [] , Betas, [BiLits]) 

; kep( NNF, [B] , Betas, Lits)). 

kep( Lit, _, _, Lits) :- % close branch 

(Lit = -(C); -(Lit) = C) -> member( C, Lits). 

kep( Lit, [FmllFmls], Betas, Lits) :- !, % next formula 

kep( Fml, Fmls, Betas, [Lit | Lits]). 

kep( Lit, [] , [Betal Betas] , Lits) :- % next beta formula 

kep( Beta, [] , Betas, [Lit | Lits]). 



Table 2. The KE based theorem prover kep for propositional logic 



be added to the list of literals directly, and the next formula can be addressed. 
If there is no such formula left, the procedure fails, because the branch cannot 
be closed. Similarly, when applying PB we already know, that, if one of the 
subformulae is a literal, its complement will not be found in Lits. So again, 
time can be saved. Note that the negated P5-formula is directly transformed 
into NNF. 

5 Performance: Tableau v. KE 

Applying a beta rule in KE reduces the number of branches compared to Tableau, 
but in Tableau such additional branches can be closed directly after having 
applied beta. For the given procedures those two actions have the same time 
complexity. In tap we have one basic step for the application of beta and one 
search through the list of literals for the closure. For kep we first search the list 
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for the complement of the literal subformula and then we have the basic step of 
the actual rule application. What remains are four major differences between the 
two procedures that determine which of them will perform better when trying 
to refute a set of formulae. 

— As kep has more clauses than tap, for every formula on the tree more 
checks of which clause applies have to be made. 

— As in Prolog it is easier to insert an element at the beginning of a list than 
at the end, the storing of beta formulae in kep changes the order in which 
the two procedures analyse those formulae. What impact this has on the 
proof size is not clear and depends very much on the specific example. 

— PB introduces a new formula on the right branch, the negated P5-formula, 
which Tableau does not do. This may help closing a branch earlier, but 
could also distract from applying the Tight’ rules. 

— For kep the transformation into NNF during an application of PB will 
require additional time. 





tap 


kep 


No. 


Time 

{msecs) 


Formulae 

Derived 


Branches 

Closed 


Time 

{msecs) 


Formulae 

Derived 


Branches 

Closed 


1 


4 


16 


4 


4 


13 


2 


2 


2 


6 


2 


2 


7 


2 


3 


2 


6 


1 


2 


6 


1 


4 


4 


16 


4 


4 


13 


2 


5 


4 


18 


3 


4 


12 


2 


6 


1 


2 


1 


1 


2 


1 


7 


1 


2 


1 


1 


2 


1 


8 


2 


6 


2 


2 


5 


1 


9 


4 


22 


9 


4 


16 


3 


10 


6 


38 


9 


8 


42 


7 


11 


2 


6 


2 


2 


7 


2 


12 


26 


138 


24 


41 


185 


32 


13 


6 


36 


9 


7 


28 


3 


14 


8 


42 


10 


13 


52 


9 


15 


4 


16 


4 


4 


13 


2 


16 


2 


6 


1 


2 


6 


1 


17 


10 


64 


14 


12 


39 


3 



Table 3. Performances of tap and kep on the Pelletier Problems 1-17 



Table 3 shows results for the runtimes of tap and kep on the Pelletier 
Problems for propositional logic [4]. Both programs have been tested on a Sun 
Sparc 10 running SWI-Prolog 2.1. The times given (average runtime for 100 
tests) include the search for a NNF. While kep derives slightly fewer formulae 



318 Ulrich Endriss 



and requires about three quarters of the branches,^ it is on average around 10% 
slower than tap. 

In [3] the KE based prover leanKE is compared with leanT^ (both for first 
order logic). It derives slightly fewer formulae than kep and closes slightly fewer 
branches. The average runtime compared to leanT^ on the same set of problems 
is around 350%. That leanT^ is that much faster than leanKE is partly due 
to the size of the latter: leanKE has many more clauses, which means that for 
every formulate be analysed the time to hnd the right clause is longer. Moreover, 
leanKE, unlike kep, does not implement a strategy preventing it from searching 
for the complement of a formula a second time after a beta rule or PB has been 
applied. 
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anonymous referees for their helpful comments. 
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Abstract. Automated Deduction offers no unique strategy which is uni- 
formly successful on all problems. Hence a parallel combination of strate- 
gies increases the chances of success. Our approach is made even more 
efficient by the exchange of suitable intermediate results. We present in 
this paper the model of a cooperative parallel model elimination prover 
which combines different lemma selection strategies in a strategy parallel 
prover environment. We assess the results of first experiments and give 
an outline of the future work. 



Introduction. Up to now, sequential automated theorem provers (ATPs) have 
set a high standard. But when dealing with difficult problems, ATPs are still 
inferior to a skilled human mathematician. An important technique to increase 
the performance is to employ parallelism. Another promising technique is the 
use of lemmata for reducing the search space which has to be processed for 
obtaining a solution. We want to show that both parallelism and lemmatiza- 
tion can profit from the combination of several lemma selection strategies in a 
competitive manner. Thus our aim is the realization of such a combination. 

Our prover system is based on model elimination [Lov68]; all sub-provers are 
instances of the SETHEO [MIL +97] prover. 

Several approaches for cooperation have been discussed in the literature like 
the resolution based DARES [CMM90] or the model elimination provers ME- 
TEOR [AL97] and DELTA [Sch94], which use lemmata. 

The system abstract is organized as follows. The three main sections deal with 
the topics lemma generation and evaluation, lemma selection, and combination 
of lemma generation techniques. We conclude with a short assessment of first 
experimental results and with an outlook. 

Lemma Evaluation. Lemmata have the potential to reduce the search space 
to be processed. By separating parts of an original proof p one can achieve a 
modularization of both the proof and the search process. Technically a simple 
version of such a modularization can be realized as a procedure which generates 
unit-lemmata and uses them for constructing a proof p' of the actual problem. 
The new proof p' is smaller and hence easier to find than p. The restriction of the 
generation procedure to lemmata, which are ‘useful’ with respect to the modu- 
larization of the actual proof task performs the desired restriction of the search 
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space. Which lemmata can be considered to be useful? The lemmatization has to 
reduce the necessary effort for finding a proof by modularization. Consequently, 
a lemma is considered to be useful only if it enables a separation of a significant 
part of the original proof. This is only possible, if the lemma itself requires a 
significantly complex proof. A suitable way to measure the proof complexity of 
a lemma / is the minimal proof length p(/), the number of inferences contained 
in the smallest proof of /. Due to practical reasons, we assume the first proof of 
a certain lemma I generated by the applied proof procedure to be the minimal 
one (it is the proof generated consuming minimal resources). A comparatively 
large value of this parameter will be our first selection criterion. 

To use the proof length as the only criterion is not sufficient for an efficient 
lemma selection. In most cases an overwhelming number of lemmata requiring 
non- trivial proofs exist. Hence an additional selection criterion is needed. This 
criterion can be based on the observation that the potential of separating a 
significant part of some proofs is not sufficient; the separation must actually 
happen in a proof of the actual problem. Consequently, we choose the relevancy 
r{f) of a lemma / with respect to the actual proof task as a second selection 
criterion. Many different methods for the relevancy estimation are possible. Each 
one leads to a specific selection strategy. In the experiments, we evaluate some 
of these criteria. 

The information measure I described in [Dra98a] evaluates a lemma / with 
respect to the two criteria given above. This is done by using the product 
^(/) =p(/)*^(/) of the proof complexity p{f) and the relevancy r(/). A lemma 
/ is considered to be suitable if /(/) has a large value. So both, uninteresting 
lemmata with a small relevance value, and trivialities with a small complexity, 
are excluded. These considerations establish an argument for the naming of in- 
formation measure, too. The value of /(/) is large, if / seems to be of great value 
for the construction of the final proof. 

Dynamic Lemma Selection. In this section, we present a prover model, which 
allows a dynamic selection of sets of high value lemmata to enrich the original 
proof task. Our prover is based on the cooperation in a cooperative cell^ which is a 
triple (RG,LG,LS) consisting of a request generation component (RG), a lemma 
generation component (LG), and a lemma selection component (LS). In our im- 
plementation, both generators use SETHEO. LG produces unit lemmata similar 
to DELTA and uses the evaluation strategies given in the previous section. RG 
tries to prove the set of input clauses and generates proof requests (subgoals 
which fail because of the lack of resources during the proof attempt). To achieve 
cooperation between RG and LG, LS repeatedly chooses a subset of the lemmata 
generated by LG. Each time such a set of lemmata has been selected, a new de- 
pendent sub-prover is started. In detail, our implementation works as follows. LG 
sends a data stream of generated lemmata to LS accompanied with the value of 
the information measure of this lemma. In order to support the lemma selection 
RG adds data on the information measure to the generated proof requests and 
sends the requests to LS. If a lemma I is more general than the request r, it may 
be useful for the proof search. When additionally using I in the original proof 
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task, the RG would succeed at the generation position of r and possibly com- 
plete the proof attempt. In LS the received data is ranked with respect to the 
attached evaluation value. At any time, the best k lemmata of the lemma pool 
in LS represent possibly well- suited lemmata and form a lemma-set C. Every 
time jC has “significantly” changed, a new dependent sub-prover is started. This 
prover tries to refute the original input clauses augmented with C. 

In the following figure, the data flow of a cooperative cell is illustrated. The 
width of the arrows indicates the amount of data transmitted between the com- 
ponents. The scheme additionally shows that not all generated lemmata and 
requests will be transmitted. Those formulae which get a very low evaluation 
value do not enter LS. 




Strategy Parallelism. A search problem is typically solved by applying a uni- 
form search procedure. In automated deduction, different search strategies may 
have a strongly different behavior on a given problem. This especially holds 
considering cooperative strategies. In general, it cannot be decided in advance 
which strategy is the best for a given problem. This motivates the competitive 
use of different strategies. In our approach, we employ the paradigm of strat- 
egy parallelism [WL98]. Strategy parallelism is, roughly spoken, the selection of 
more than one search strategy in combination with techniques to partition the 
available resources depending on the actual task. 

When trying to determine an optimal selection of strategies for a given set of 
problems, we are faced with the strategy allocation problem. For details on this 
problem see [WL98]. It was shown that this problem is strongly NP-complete. 
Therefore, in practice the determination of an optimal solution is not possible, 
at least not on larger sets and with classical methods. One reasonable possibility 
is to use a gradient procedure [Wol98b] as we do it in our implementation. This 
procedure has been used to determine the schedule for the following experiments. 

Experiments. To determine the influence of the cooperation on the proof 
process, we compare the results of our lemma selection strategies with a suc- 
cessful conventional prover strategy of SETHEO. The considered lemma selec- 
tion strategies can be divided into two different approaches. In strategy 1 we 
define the relevancy of a lemma / as reciprocal value of its syntactic complex- 
ity. A special version of this strategy is discussed in [Dra98b]. Here, we mea- 
sure the syntactic complexity of a unit-lemma / in two variants. The symbol 
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size sci{f) counts the number of constant and function symbols contained in 
the assertion of /. The symbol depth SC 2 (/) describes the length of the longest 
path in the assertion of / represented as a symbol tree. Strategy 2 defines the 
relevancy of a lemma / in terms of its similarity to the query q. The main 
idea of this strategy is the identification of lemmata, which are useful with re- 
spect to a step-by-step construction of the query q [Dra98a]. The first version 
of strategy 2 sets the relevancy to be the structural similarity sqi{f), the sec- 
ond version uses the signature similarity sq 2 {f). Let ici, . . . , be the maximal 
sub-terms contained both in / and q. Then the function qsi{f) is defined to 
be qsi{f) = sci{q)^ sci{f) — 2* sci{wi) — . . . — 2* sci{wn)- Similarly, the function 
sq 2 {f) counts the numbers ng(a^),n/(ai) of occurrences of each function, con- 
stant, and predicate symbol ai,. . contained in q and /. The value of gq{f) 
is determined by gq{f) = \nq{ai)-nf{ai)\+.. . + \nq{am)-nf{am)y 

In the first table we depict the time needed using each lemma evaluation 
strategy and a conventional reference strategy for some selected problems from 
the TPTP library. The time limit in this experiment was 300 seconds. The 
table shows by some examples, how strong the computational behavior of the 
considered strategies differs. 



strategy 


conventional 

strategy 


strategy 1 
sci (size) 


strategy 1 
SC 2 (depth) 


strategy 2 
sqi (structure) 


strategy 2 
sq 2 (signature) 


CAT008-1 


- 


- 


13s 


7s 


28s 


GEO004-1 


- 


66s 


108s 


- 


- 


GRP048-2 


- 


14s 


- 


20s 


- 


HEN006-3 


- 


- 


- 


138s 


44s 


LCL090-1 


- 


27s 


68s 


67s 


151s 


PUZOlO-1 


- 


- 


122s 


137s 


127s 


RNG038-1 


- 


- 


178s 


3s 


- 


ROB016-1 


92s 


- 


- 


16s 


17s 


SYN310-1 


187s 


202s 


55s 


202s 


51s 



The next table shows the summarized results on a subset of 92 problems (all 
problems not solvable by the conventional strategy in 20 seconds but solvable 
by one of the five strategies) taken from the 547 eligibles of the CADE-15 Au- 
tomated Theorem Prover Competition. 





proofs 


% 


time (s) 


% 


time/proof (s) 


% 


strategy 1 size sc\ 


46 


65 


15825 


102 


344 


156 


strategy 1 depth sc 2 


41 


62 


16416 


105 


400 


182 


strategy 2 structure sqi 


53 


75 


14217 


96 


268 


122 


strategy 2 signature sq 2 


40 


56 


17923 


115 


448 


204 


conventional 


34 


48 


21181 


136 


622 


283 


strategy parallel 


71 


100 


15589 


100 


220 


100 



We measure the time needed by our four lemma evaluation strategies to treat 
all problems and count the proofs. Then we do the same with the conventional 
reference strategy and the strategy parallel system p-SETHEO [Wol98a] (on one 
processor) which integrates the four cooperative strategies and the conventional 
one. The maximal amount of time spent to each proof attempt (even the strategy 
parallel) is 300 seconds. This experiment shows that the cooperative strategies 
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are able to prove much more problems than the conventional strategy. But the 
sets of problems solved by different lemma selection strategies differ greatly. 
This makes lemma generation strategies very convenient for strategy parallelism 
(lemma selection strategies tend to have a low overlap value^ i. e., the non trivial 
problems solved by these strategies differ significantly, see [WL98]). The strat- 
egy parallel combination of conventional and lemma selection based strategies 
combines the high number of solvable problems with comparatively low response 
times. 

Assessment and Future Work. The experimental results show that the com- 
bination of cooperating strategies can achieve very high speed-ups. Our lemma 
evaluation and selection techniques were successful in order to solve problems 
which have been unreachable with conventional search methods. Nevertheless, 
the methods and techniques for information assessment and selection still need 
further research. Note that our cooperation approach can be combined with 
other parallelization paradigms like search space partitioning [SS94]. Thus, the 
good scalability of these models can easily be incorporated into our prover. 

A second advantage of our model is the adaptability of the underlying ap- 
proach to the difficulty of the actual proof task. The lemmata are generated step 
by step, and so we get new sets of selected lemmata during the whole run time 
of the generators. So a simple proof task may be proved even without starting a 
sub-prover with a lemma enriched clause set, and difficult problems with a long 
run-time will employ a large amount of these sub-provers. 
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